Bash update?
Moderator: Mattk
Bash update?
Is there going to be bash update due security break?
Re: Bash update?
I recommend not to expose the Meteohub directly to the Internet, but to upload data/graphs via FTP to your web server.
Doing so, there is no risk in having the unit hacked, neither shellshock or by other means.
Furthermore, my inspection of the web services provided by Meteohub showed, that they do not
allow for smuggling in shell enironment variables by giving URL parameters (which is the risk
in more technical terms).
So from my point of view Meteohub is save, but all this does not have come to an end, so I continue
to keep an eye on it. providing a new bash version is a good idea anyhow, but I wait until the
fixes have stabilized. First released fixes do not seem to close all the doors.
Doing so, there is no risk in having the unit hacked, neither shellshock or by other means.
Furthermore, my inspection of the web services provided by Meteohub showed, that they do not
allow for smuggling in shell enironment variables by giving URL parameters (which is the risk
in more technical terms).
So from my point of view Meteohub is save, but all this does not have come to an end, so I continue
to keep an eye on it. providing a new bash version is a good idea anyhow, but I wait until the
fixes have stabilized. First released fixes do not seem to close all the doors.
Re: Bash update?
Now, as situation around the shell shock fixes has stabilized, a BASH update on x86, RPI, SheevPlug and ARM-alikes (DC01, Dreamplug, iConnect) is scheduled for coming Meteohub version 5.0c. NSLU2 can't get the update as recompilation of a fixed BASH code does crash inside yacc. No idea why...