From owner-freebsd-questions@FreeBSD.ORG Mon Sep 29 08:19:16 2014 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D94959D3 for ; Mon, 29 Sep 2014 08:19:16 +0000 (UTC) Received: from mx01.qsc.de (mx01.qsc.de [213.148.129.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9C49A2A9 for ; Mon, 29 Sep 2014 08:19:16 +0000 (UTC) Received: from r56.edvax.de (port-92-195-3-171.dynamic.qsc.de [92.195.3.171]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx01.qsc.de (Postfix) with ESMTPS id 704BD3CBDE; Mon, 29 Sep 2014 10:09:38 +0200 (CEST) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id s8T89baP001959; Mon, 29 Sep 2014 10:09:37 +0200 (CEST) (envelope-from freebsd@edvax.de) Date: Mon, 29 Sep 2014 10:09:37 +0200 From: Polytropon To: Everett Batey Subject: Re: BASH Shellshock and FreeBSD 4.X Message-Id: <20140929100937.0527cbae.freebsd@edvax.de> In-Reply-To: References: Reply-To: Polytropon Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: Questions at FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2014 08:19:17 -0000 On Sun, 28 Sep 2014 13:59:13 -0700, Everett Batey wrote: > Severely stuck in Time - OLD FBSD .. any bright ideas around /bin/bash > risks AND NOT DONT TELL ME UPDATE FBSD .. - Dependencies I can NOT > escape .. Even if you actually have /bin/bash (in the root file system), it's not the system's scripting shell, standard subshell or standard interactive shell - except you made that change which usually is a Very Bad Idea(TM). Just because bash is installed doesn't imply your system is vulnerable to shellshock. If you have read about the construction of the exploit, you will know if you have vulnerable services running. But if you're just using bash as an interactive shell for a user, it shouldn't be a problem. :-) Updating a 3rd party shell does _not_ require updating your whole operating system. It _might_ be possible that you will encounter dependency problems (programs that depend on a specific version of bash, or bash itself that will require specific versions of other ports), but that should be a minimal problem and easily be solved. Note that bash is _not_ partof the FreeBSD operating system and therefore only lives in "/usr/local space". FreeBSD's standard scripting shell (and process subshell) is not bash, it's sh, a Bourne shell descendant in its implementation ash (Almquist shell) which is _not_ affected by shellshock. The C shell, FreeBSD's standard dialog shell, also doesn't care. > On other hand for FreeBSD 9.1-RELEASE-p7 is there an equivalent of yum > update bash? That depends on if you're using pkgng or pkg_ tools - or ports. The "impolite" method with (old) pkg_ tools: # pkg_delete -f /var/db/pkg/bash-x.y.z # pkg_add -r bash You can use tab completition to get the version number right. If you're using ports: # portsnap fetch update # cd /usr/ports/shells/bash # make deinstall # make # make reinstall You should now have the current (patched) version installed from source. Additionally, you can set custom options for bash if you need to (for example WITH_STATIC_BASH) - you only _have_ to do this if the default options (from which the packages are built) do not fit your requirements. Do you use a port management tool like portupgrade or portmaster? You can do it with one command: # portupgrade bash or # portmaster shells/bash Use the -P option if you don't want to compile from source, but use the binary package (similar to pkg_add mentioned above). See the manual of the program for reference. But if you're already using pkgng on your system, it's easier: # pkg upgrade bash This also uses a binary updating method. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...