FSF Issues Statement On Shellshock Bash Vulnerability

The Free Software Foundation has issued their response to this week's news of the "Shellshock" bug that affects Bash.

As most Phoronix readers are already aware, this week a very serious bug in Bash was exposed that has the potential to be much greater impact than this year's OpenSSL Heartbleed bug. The Shellshock bug is an issue affecting all versions of Bash on all platforms that could allow specially-crafted environment variables inject attack code. If you're not familiar with this Bash vulnerability, I'd recommend checking out the Red Hat Security Blog for all of the details.

With Bash being the GNU Project's shell, the Free Software Foundation issued a statement on the matter. They obviously encourage everyone to update their version of Bash immediately to obtain the most serious fix while a complete fix to the Shellshock vulnerability continues to be devised. After telling everyone to upgrade, the FSF then immediately starts talking up Bash and its benefits in being free software under the GPL.

GNU Bash has been widely adopted because it is a free (as in freedom), reliable, and featureful shell. This popularity means the serious bug that was published yesterday is just as widespread. Fortunately, GNU Bash's license, the GNU General Public License version 3, has facilitated a rapid response. It allowed Red Hat to develop and share patches in conjunction with Bash upstream developers efforts to fix the bug, which anyone can download and apply themselves. Everyone using Bash has the freedom to download, inspect, and modify the code -- unlike with Microsoft, Apple, or other proprietary software.

Software freedom is a precondition for secure computing; it guarantees everyone the ability to examine the code to detect vulnerabilities, and to create new and safe versions if a vulnerability is discovered. Your software freedom does not guarantee bug-free code, and neither does proprietary software: bugs happen no matter how the software is licensed. But when a bug is discovered in free software, everyone has the permission, rights, and source code to expose and fix the problem. That fix can then be immediately freely distributed to everyone who needs it. Thus, these freedoms are crucial for ethical, secure computing.

Proprietary, (aka nonfree) software relies on an unjust development model that denies users the basic freedom to control their computers. When software's code is kept hidden, it is vulnerable not only to bugs that go undetected, but to the easier deliberate addition and maintenance of malicious features. Companies can use the obscurity of their code to hide serious problems, and it has been documented that Microsoft provides intelligence agencies with information about security vulnerabilities before fixing them.

Free software cannot guarantee your security, and in certain situations may appear less secure on specific vectors than some proprietary programs. As was widely agreed in the aftermath of the OpenSSL "Heartbleed" bug, the solution is not to trade one security bug for the very deep insecurity inherently created by proprietary software -- the solution is to put energy and resources into auditing and improving free programs.

Development of Bash, and GNU in general, is almost exclusively a volunteer effort, and you can contribute. We are reviewing Bash development, to see if increased funding can help prevent future problems. If you or your organization use Bash and are potentially interested in supporting its development, please contact us.

Those wishing to read the Free Software Foundation press release in full can be found at FSF.org.