Bug in Bash shell creates big security hole on UNIX/LINUX.

A security vulnerability in the GNU Bourne Again Shell (Bash), the command-line shell used in many Linux and Unix operating systems, could leave systems running those operating systems open to exploitation by specially crafted attacks. “This issue is especially dangerous as there are many possible ways Bash can be called by an application,” a Red Hat security advisory warned.

The bug, discovered by Stephane Schazelas, is related to how Bash processes environmental variables passed by the operating system or by a program calling a Bash-based script. If Bash has been configured as the default system shell, it can be used by network–based attackers against servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts.

Because of its wide distribution, the vulnerability could be as wide-ranging as the Heartbleed bug, though it may not be nearly as dangerous. The vulnerability affects versions 1.14 through 4.3 of GNU Bash. Patches have been issued by many of the major Linux distribution vendors for affected versions, including:

• Red Hat Enterprise Linux (versions 4 through 7) and the Fedora distribution
• CentOS (versions 5 through 7)
• Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS
• Debian

A test on Mac OS X 10.9.4 ("Mavericks") by Ars showed that it also has a vulnerable version of Bash. Apple has not yet patched Bash, though it just issued an update to "command line tools."

While Bash is often thought of just as a local shell, it is also frequently used by Apache servers to execute CGI scripts for dynamic content (through mod_cgi and mod_cgid). A crafted web request targeting a vulnerable CGI application could launch code on the server. Similar attacks are possible via OpenSSH, which could allow even restricted secure shell sessions to bypass controls and execute code on the server. And a malicious DHCP server set up on a network or running as part of an “evil” wireless access point could execute code on some Linux systems using the Dynamic Host Configuration Protocol client (dhclient) when they connect.

There are other services that run on Linux and Unix systems, such as the CUPS printing system, that are similarly dependent on Bash that could be vulnerable.

There is an easy test to determine if a Linux or Unix system is vulnerable. To check your system, from a command line, type:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the system is vulnerable, the output will be:

vulnerable
 this is a test

An unaffected (or patched) system will output:

 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x'
 this is a test

The fix is an update to a patched version of the Bash shell. To be safe, administrators should do a blanket update of their versions of Bash in any case.

Originally Posted in : arstechnica.com 

How to Improve the Performance of Drupal Sites

A site is only as fast as its last mile connectivity. If users access a site from a slow connection, even a site capable of responding quickly to requests will appear to be slow. A content management system like Drupal throws in additional challenges to the Web architect in improving performance because, typically, the Apache process takes up more space than a site serving traditional HTML or PHP pages. Read on to take a look at the various external factors that impact performance, and explore ways to mitigate them.

Cache HTTP reverse proxy using Varnish on Ubuntu with Drupal 7

Varnish Cache is a web application accelerator also known as a caching HTTP reverse proxy. You install it in front of any server that speaks HTTP and configure it to cache the contents. Varnish Cache is really, really fast. It typically speeds up delivery with a factor of 300 - 1000x, depending on your architecture.

Varnish speed up Drupal sites through caching. In a single-server setup, Varnish sits at port 80 (rather than Apache) and calls out to Apache only if the request URL isn't cached or if another set of conditions are met. Those sets of conditions are usually spelled out in the default.vcl configuration file.

In order to set up Varnish on my latest Drupal 7 project, I needed to put together documentation from a lot of different places.

Busting The Biggest Myths About Linux!

For many years Windows was the only operating system for many computer users. In fact, a majority of these users even didn't know that there was any other OS in the world. And for this reason, Linux, the free and open-source operating system was totally alienated. And slowly when people started to hear about the Linux based OS, many misconceptions started to cloud the free flow of the free and open source OS. So here we are trying to put some light on the real facts by killing the popular misconceptions!

Google Person finder

Google has launched the Person finder for Uttrakhand floods - please popularize generously and share on your pages.

http://google.org/personfinder/2013-uttrakhand-floods

How Linux is Built

The MagPI Raspberry PI Magazine Issue 02 Released | Download pdf

The second issue of the MagPI magazine which is fully dedicated for the Raspberry PI project. In this issue of MagPI, there are many new tutorials for Linux distributions, python tutorials “Python Pit”, basic usage for RaspBerry PI, and the new section command line clinic. Check Download mirrors and quick preview link for the 2nd issue.

If you didn’t saw the first issue of MagPI you can have a quick peak or download it from this post.