From owner-freebsd-security@FreeBSD.ORG Thu Sep 25 16:57:48 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C874FFAB for ; Thu, 25 Sep 2014 16:57:48 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A852FE47 for ; Thu, 25 Sep 2014 16:57:48 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id s8PGvmuZ014945 for ; Thu, 25 Sep 2014 16:57:48 GMT (envelope-from bdrewery@freefall.freebsd.org) Received: (from bdrewery@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id s8PGvmL4014944 for freebsd-security@freebsd.org; Thu, 25 Sep 2014 16:57:48 GMT (envelope-from bdrewery) Received: (qmail 41393 invoked from network); 25 Sep 2014 11:57:46 -0500 Received: from unknown (HELO ?10.10.0.24?) (freebsd@shatow.net@10.10.0.24) by sweb.xzibition.com with ESMTPA; 25 Sep 2014 11:57:46 -0500 Message-ID: <54244982.8010002@FreeBSD.org> Date: Thu, 25 Sep 2014 11:57:38 -0500 From: Bryan Drewery Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1 MIME-Version: 1.0 To: freebsd-ports@freebsd.org, freebsd-security Subject: Re: bash velnerability References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> In-Reply-To: <54243F0F.6070904@FreeBSD.org> OpenPGP: id=6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="RTJRMSCV8MwWaNdi3x9p81JjwPQ5tLPgP" X-Mailman-Approved-At: Thu, 25 Sep 2014 17:25:34 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2014 16:57:49 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --RTJRMSCV8MwWaNdi3x9p81JjwPQ5tLPgP Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 9/25/2014 11:13 AM, Jung-uk Kim wrote: > On 2014-09-25 02:54:06 -0400, Koichiro Iwao wrote: >> Please let me make corrections. The "shellshock" bash=20 >> vulnerabilities are described by 2 CVEs. - CVE-2014-6271 -=20 >> CVE-2014-7169 >> >> The first CVE is already fixed in latest freebsd ports tree=20 >> (r369185), so far the second CVE is not fixed yet. >=20 > CVE-2014-7169 is fixed now (r369261). >=20 > http://svnweb.freebsd.org/changeset/ports/369261 >=20 > Note the commit log says CVE-2014-3659 but it was actually reassigned > as CVE-2014-7169. >=20 > Jung-uk Kim >=20 The port is fixed with all known public exploits. The package is building currently. However bash still allows the crazy exporting of functions and may still have other parser bugs. I would recommend for the immediate future not using bash for forced ssh commands as well as these guidelines: 1. Do not ever link /bin/sh to bash. This is why it is such a big problem on Linux, as system(3) will run bash by default from CGI. 2. Web/CGI users should have shell of /sbin/nologin. 3. Don't write CGI in shell script / Stop using CGI :) 4. httpd/CGId should never run as root, nor "apache". Sandbox each application into its own user. 5. Custom restrictive shells, like scponly, should not be written in bash= =2E 6. SSH authorized_keys/sshd_config forced commands should also not be written in bash. Cheers, Bryan Drewery --RTJRMSCV8MwWaNdi3x9p81JjwPQ5tLPgP Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) iQEcBAEBAgAGBQJUJEmCAAoJEDXXcbtuRpfP7PYH/0xaUF1M55vD8+EjDS7Nc9eF zLC5Akrxc9DtoBWmmUnvfpTKsIVQe1m/eUsRAD63zXf0Jt/EsWNllMS+rfkDp4i/ IEbAPvaxsvr5xtZc/vfU3H3/WDAvKFiaVfEwhWjPPiPzFk4Q4NGL0i8epoZPlMMg QJRtlLAlMzPZR2U/w0PZYUeSMPKfmce9YNJNbB3durvHRbuv7KMIP0hL+DM9lyB7 NPv5/1ShSmrvLuORto2iDPluuuDG3FM70J0QIndK+r0nMaH4e0xB68a0hddcTbE5 SeDuHuosY6Af3cCRx4rLUCxVw3ITySmGsEE+BAdOXifJw0oJfAxlB8dwoYx5B/0= =pqt8 -----END PGP SIGNATURE----- --RTJRMSCV8MwWaNdi3x9p81JjwPQ5tLPgP--