Date: Fri, 26 Sep 2014 21:42:21 +0000 (UTC) From: Bryan Drewery <bdrewery@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r369349 - head Message-ID: <201409262142.s8QLgM4f005281@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bdrewery Date: Fri Sep 26 21:42:21 2014 New Revision: 369349 URL: http://svnweb.freebsd.org/changeset/ports/369349 QAT: https://qat.redports.org/buildarchive/r369349/ Log: Reword bash entry a bit Modified: head/UPDATING Modified: head/UPDATING ============================================================================== --- head/UPDATING Fri Sep 26 21:32:03 2014 (r369348) +++ head/UPDATING Fri Sep 26 21:42:21 2014 (r369349) @@ -10,10 +10,11 @@ you update your ports collection, before AUTHOR: bdrewery@FreeBSD.org Bash supports a feature of exporting functions in the environment with - export -f. Running bash with exported functioned in the environment will - then import those functions into the environment. This resulted in - security issues CVE-2014-6271 and CVE-2014-7169, commonly known as - "shellshock". + export -f. Running bash with exported functions in the environment will + then import those functions into the environment of the script being ran. + This resulted in security issues CVE-2014-6271 and CVE-2014-7169, commonly + known as "shellshock". It also can result in poorly written scripts being + tricked into running arbitrary commands. To fully mitigate against this sort of attack we have applied a non-upstream patch to disable this functionality by default. You can execute bash
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201409262142.s8QLgM4f005281>