From owner-freebsd-security@FreeBSD.ORG Mon Sep 29 07:09:17 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 61DAA6B6 for ; Mon, 29 Sep 2014 07:09:17 +0000 (UTC) Received: from forward13.mail.yandex.net (forward13.mail.yandex.net [IPv6:2a02:6b8:0:801::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Certum Level IV CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 17A60A93 for ; Mon, 29 Sep 2014 07:09:16 +0000 (UTC) Received: from web12j.yandex.ru (web12j.yandex.ru [5.45.198.53]) by forward13.mail.yandex.net (Yandex) with ESMTP id 5B4E11422C5; Mon, 29 Sep 2014 11:09:04 +0400 (MSK) Received: from 127.0.0.1 (localhost [127.0.0.1]) by web12j.yandex.ru (Yandex) with ESMTP id 44C31BC05B0; Mon, 29 Sep 2014 11:09:03 +0400 (MSK) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1411974543; bh=ObuhRtHqjoO0HEtI4MHthKoAl2Kil7TJiH2LnoS4Qko=; h=From:To:Cc:Subject:Date; b=IiViiWeygwNTQfqo4ZgALcHBepyDZ3eCZ+3AAF3OAdmg+b4wwZGEOrNy72nxAAD4j L4i+bEocZHtBzkUGI6YNnxHbq2e7Zbdh6zVFxrPLjqFh2EjhMP6z9p/YCwv2mwmUqH /M1/TshxXP9EEMQt60NaAK68QsLWJG4ETAymk7O4= Received: from broadband-46-188-123-17.2com.net (broadband-46-188-123-17.2com.net [46.188.123.17]) by web12j.yandex.ru with HTTP; Mon, 29 Sep 2014 11:09:02 +0400 From: Kuleshov Aleksey To: freebsd-security@freebsd.org Subject: Re: Bash ShellShock bug(s) MIME-Version: 1.0 Message-Id: <2423691411974542@web12j.yandex.ru> X-Mailer: Yamail [ http://yandex.ru ] 5.0 Date: Mon, 29 Sep 2014 11:09:02 +0400 Content-Transfer-Encoding: 7bit Content-Type: text/plain Cc: na@rtfm.net, robert@ml.erje.net X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2014 07:09:17 -0000 There is a repository https://github.com/hannob/bashcheck with convenient script to check for vulnerabilities. % sh bashcheck Vulnerable to CVE-2014-6271 (original shellshock) Vulnerable to CVE-2014-7169 (taviso bug) Not vulnerable to CVE-2014-7186 (redir_stack bug) Vulnerable to CVE-2014-7187 (nessted loops off by one) Variable function parser still active, likely vulnerable to yet unknown parser bugs like CVE-2014-6277 (lcamtuf bug) Does it mean that FreeBSD's sh is subject to such vulnerabilities?