[dbvqdpwn]

$this->bbcode_second_pass_quote('', 'H')owever, when I upgraded to that bash on my pogo E02, I could no longer authenticate for ssh with either public key (my usual way) nor password. When I downgraded bash back to the prior version, both forms of auth worked again. Note that my E02 was never upgraded to systemd as I keep it more or less in sync with my V3 pogos which no longer get updated unless necessary.

$this->bbcode_second_pass_quote('dbvqdpwn', '')$this->bbcode_second_pass_quote('karog', 'H')owever, when I upgraded to that bash on my pogo E02, I could no longer authenticate for ssh with either public key (my usual way) nor password. When I downgraded bash back to the prior version, both forms of auth worked again. Note that my E02 was never upgraded to systemd as I keep it more or less in sync with my V3 pogos which no longer get updated unless necessary.

[WarheadsSE]

The newer version expects /bin itself to be a link to /usr/bin .. so yes, it does not contain such a link.

[moonman]

I don't see why everyone is worried about this bug. Does anyone have privilidged shell access to your box? If yes you should worry, if not it really is not a big deal. Shared hosting might be affected, yes, as you may be able to gain access to somebody else's account or root, but a box that only you have access to - no.

[greenman]

Everyone -- again thanks for all the replies, explanations and considerations. I'm puttering on this in my spare time, so thanks for your patience when I don't reply immediately.

@bodhi -- Are these the forum threads being referred to?
http://forum.doozan.com/read.php?2,1604 ... #msg-17712
http://forum.doozan.com/read.php?3,16017

I'll give these a thorough read and then give your directions a try. Thank you.

@WarheadsSE, @karog -- If you do find that spare eureka moment one weekend, I hope you'll share your results. Cheers.

@moonman, I imagine there are few instances where an unsecured pogoplug poses a threat to someone's home network. I don't have a red phone on my desk or any data or information in my home network worth the time of anyone but friends and family. But not a few experts consider this exploit to be much worse than heartbleed. I just keep thinking that if a security risk is relatively easy to fix, it's better to plug the risk than to live with it. Recently I've been transferring all the capabilities that I like in my B01 to a raspberry pi. I'll likely shut down the B01 and wipe it if those in the pogoplug b01 community with the background and opportunity deem it's continued security less than supportable.

[moonman]

My point wasn't "this is a home device so who cares". The point is that if nobody has access to shell on your device except for you there is no threat. To get to bash you first need to get through ssh authentication. If somebody does guess your password you are screwed anyway regardless if there is a bash bug or not.
On shared hosting on the other hand ssh access is given to multiple people with a restricted access. With that bash bug someone can gain access to other people's resources.

[bodhi]

@greenman,

Yes. They are.