Date: Thu, 25 Sep 2014 15:21:04 +0200 From: Erik Stian Tefre <erik@tefre.com> To: freebsd-security@freebsd.org Subject: Bash ShellShock bug(s) Message-ID: <542416C0.2040203@tefre.com>
next in thread | raw e-mail | index | archive | help
I hereby declare the bash ShellShock bug(s) worthy of mention. Yes, bash is just a port in FreeBSD, but: Hundreds of other ports (including network accessible ports) seem to depend on shells/bash. (Figuring out if they use it in a vulnerable way or not is left as an exercise for the reader.) Custom/third party apps might also be using bash. Some users perfer to chsh -s bash. [> Insert your favourite reason to patch here <] References to the ShellShock bug(s): http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 ^ Seems to be patched in ports, bash >= 4.3.25. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 ^ Patch does not yet exist? Here's a little copy-and-paste exercise for verifying CVE-2014-6271 vulnerability: env var='() { ignore this;}; echo vulnerable' bash -c /usr/bin/true -- Erik
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?542416C0.2040203>