[Trad Gnu] Fwd: Traduction urgente Fwd: Free Software Foundation statement on the GNU Bash "shellshock" vulnerability

[Thérèse <godef.th AT free.fr>]

Bonjour à tous,

Mobilisation générale !  ;-)
(et n'oubliez pas de faire votre mise à jour).

Le pad, c'est ici:
https://pad.april.org/p/EnFr-fsf-statement-bash-vulnerability

Merci tout plein,
Thérèse

-------- Message original --------
Sujet: Traduction urgente Fwd: Free Software Foundation statement on the
GNU Bash "shellshock" vulnerability
Date : Fri, 26 Sep 2014 09:10:05 +0200
De : Fred <frederic AT couchet.org>
Pour : godef.th AT free.fr

Salut,

Si c'est possible ce serait super d'avoir rapidement une traduction  en
français de la réaction de la FSF sur shellshock et de la publier
directement sur april.org. On completera sans doute par une réaction April.

N'hésite pas à solliciter de l'aide sur irc.

Je vais être dispo qu'en pointillé aujourd'hui mais n'hésite pas à me
tenir au courant par courriel ou sms (0660688931).

Fred.


Free Software Foundation <info AT fsf.org> a écrit :

>## Free Software Foundation statement on the GNU Bash "shellshock"
>vulnerability  
>
>*This post can be viewed online at
><https://fsf.org/news/free-software-foundation-statement-on-the-gnu-bash-shellshock-vulnerability>.*
>
>A major security vulnerability has been discovered in the free
>software shell GNU Bash. The most serious issues have already been
>fixed, and a complete fix is well underway. GNU/Linux distributions
>are working quickly to release updated packages for their users. All
>Bash users should upgrade immediately, and audit the list of remote
>network services running on their systems.
>
>Bash is the [GNU Project's][1] shell; it is part of the suite of
>software that makes up the GNU operating system. The GNU programs plus
>the kernel Linux form a commonly used complete [free software][2]
>operating system, called GNU/Linux. The bug, which is being referred
>to as "shellshock," can allow, in some circumstances, attackers to
>remotely access and control systems using Bash (and programs that call
>Bash) as an attack vector, regardless of what kernel they are
>running. The bug probably affects many GNU/Linux users, along with
>those using Bash on proprietary operating systems like Apple's OS X
>and Microsoft Windows. Additional technical details about the issue
>can be found [at CVE-2014-6271][3] and [CVE-2014-7169][4].
>
>[GNU Bash][5] has been widely adopted because it is a free (as in
>freedom), reliable, and featureful shell. This popularity means the
>serious bug that was published yesterday is just as
>widespread. Fortunately, GNU Bash's license, the [GNU General Public
>License version 3][6], has facilitated a rapid response. It allowed
>[Red Hat][7] to develop and share patches in conjunction with Bash
>upstream developers efforts to fix the bug, which anyone can download
>and apply themselves. Everyone using Bash has the freedom to download,
>inspect, and modify the code -- unlike with Microsoft, Apple, or other
>proprietary software.
>
>Software freedom is a precondition for secure computing; it guarantees
>everyone the ability to examine the code to detect vulnerabilities,
>and to create new and safe versions if a vulnerability is
>discovered. Your software freedom does not guarantee bug-free code,
>and neither does proprietary software: bugs happen no matter how the
>software is licensed. But when a bug is discovered in free software,
>everyone has the permission, rights, and source code to expose and fix
>the problem. That fix can then be immediately freely distributed to
>everyone who needs it. Thus, [these freedoms][2] are crucial for
>ethical, secure computing.
>
>Proprietary, (aka nonfree) software relies on an unjust development
>model that denies users the basic freedom to control their
>computers. When software's code is kept hidden, it is vulnerable not
>only to bugs that go undetected, but to the easier deliberate addition
>and maintenance of [malicious features][8]. Companies can use the
>obscurity of their code to hide serious problems, and it has been
>documented that [Microsoft provides intelligence agencies with
>information about security vulnerabilities before fixing them][9].
>
>Free software cannot guarantee your security, and in certain
>situations may appear less secure on specific vectors than some
>proprietary programs. As was widely agreed in the aftermath of the
>OpenSSL "Heartbleed" bug, the solution is not to trade one security
>bug for the very deep insecurity inherently created by proprietary
>software -- the solution is to put energy and resources into auditing
>and improving free programs
>
>Development of Bash, and GNU in general, is almost exclusively a
>volunteer effort, and [you can contribute][5]. We are reviewing Bash
>development, to see if increased funding can help prevent future
>problems. If you or your organization use Bash and are potentially
>interested in supporting its development, please [contact
>us](donate AT fsf.org).
>
>The patches to fix this issue can be obtained directly at
><http://ftp.gnu.org/gnu/bash/>.
>
>### Media Contacts
>
>John Sullivan  
>Executive Director  
>Free Software Foundation  
>+1 (617) 542 5942  
><campaigns AT fsf.org> 
>
>[1]: https://www.gnu.org
>[2]: https://www.gnu.org/philosophy/free-sw
>[3]: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
>[4]: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
>[5]: https://www.gnu.org/software/bash/
>[6]: https://www.gnu.org/licenses/gpl
>[7]:
>https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
>[8]: https://gnu.org/philosophy/proprietary
>[9]:
>http://www.computerworlduk.com/blogs/open-enterprise/how-can-any-company-ever-trust-microsoft-again-3569376/
>
>-- 
>Follow us at https://status.fsf.org/fsf | Subscribe to our blogs via
>RSS at https://fsf.org/blogs/RSS
>Join us as an associate member at https://www.fsf.org/jf
>
>Sent from the Free Software Foundation,
>
>51 Franklin Street
>Floor 5
>Boston, Massachusetts 02110-1301
>United States
>
>
>You can unsubscribe from this mailing list by visiting 
>
>https://crm.fsf.org/civicrm/mailing/unsubscribe?reset=1&jid=131106&qid=9466010&h=33dd798fe212c698.
>
>To stop all email from the Free Software Foundation, including
>Defective by Design,
>and the Free Software Supporter newsletter, visit
>
>https://crm.fsf.org/civicrm/mailing/optout?reset=1&jid=131106&qid=9466010&h=33dd798fe212c698.