qmail/警告について、ここに記述してください。 http://marc.info/?l=qmail&m=141183309314366&w=2#0 http://marc.info/?l=qmail&m=141183736615433&w=2 qmail can be used as an attack vector to exploit bash vulnerable to CVE-2014-6271 (aka shellshock). This can be used to execute arbitrary commands as any valid user with a .qmail containing a program delivery. Common uses of program delivery are procmail, ezmlm, spam checkers, etc. As has already been said, upgrade your bash now! The preconditions for this attack to work are: {{{ 1) "Shellshock"-vulnerable bash 2) /bin/sh symlinked to bash 3) Email delivery via qmail to a valid user with a .qmail file containing ANY program delivery (the actual program being delivered to is irrelevant) }}} == 攻撃が成立する条件 == 1. 脆弱な bash 2. /bin/sh が bash へのリンクになっている 3. .qmail ファイルがプログラム配送を行っている。 (ファイルへの追加ではないケース) m.qmail.jp (moin.qmail.jp) などは bash は使っていませんので、ここの条件は成立しません。 == 公表する理由 == {{{ I delayed sending details publicly, but I think some people have figured it out now, and it's important to show the severity so people understand that shellshock is exploitable in ways other than HTTP and patch bash on all devices, especially permitter ones. }}} 危険性を衆知することが重要だ、というのに賛成です。   そうでなくとも、目を背けたがるひとが多いから。 -- ToshinoriMaeno <> == bash だとこんなことが == http://www.circleid.com/posts/20140929_bashbleed_a_nasty_reminder_never_to_forget_security_101/ By Suresh Ramasubramanian, Architect, Antispam and Compliance Lesson 1 – Always Sanitize Input Data in applications that you develop, or run. Lesson 2 – Stay Informed Lesson 3 – Make fixes (relatively) easy and pain free Lesson 4 – Keep track of the security scene