Virtual monkeys with typewriters reproduced the complete works of Shakespeare. Does that pass the Turing test?
1. Shellshock was discovered by Stéphane Chazelas, who reported it to bash maintainer Chet Ramey and a few others, and assigned CVE identifier CVE-2014-6271.
2. "CVE-2014-6271: remote code execution through bash" by Florian Weimer of Red Hat (2014-09-24) was one of the first public disclosures of the problem.
3. Florian Weimer (Debian contributor and Red Hat employee) posts a patch for bash that counters the attack.
4. Red Hat, CentOS, Fedora, Oracle Linux, Debian, and Ubuntu adopt Weimer’s patch. Apple’s later OS X bash update 1.0 includes it as well.
5. Chet Ramey posts bash43-027 at 2014-09-27 22:50:07, accepting Weimer's patch into the upstream mainline.
Remember, it's always good to cite your sources (if you have any).
And now, it's been fun but good night!
"Most source packages in all Ubuntu components are copied unmodified from Debian."
Oh NOES right on the Debian wiki it says that Unstable might have horrible bugs! And if you run it on a server you are insane!
And... it says Debian's security team only covers Stable. Maybe this is why the Ubuntu forums got hacked and every user account, password and email address was stolen?