From owner-freebsd-security@FreeBSD.ORG Mon Sep 29 07:34:56 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3A393C96 for ; Mon, 29 Sep 2014 07:34:56 +0000 (UTC) Received: from forward1o.mail.yandex.net (forward1o.mail.yandex.net [IPv6:2a02:6b8:0:1a2d::29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Certum Level IV CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DDA05D6C for ; Mon, 29 Sep 2014 07:34:55 +0000 (UTC) Received: from web22o.yandex.ru (web22o.yandex.ru [95.108.205.122]) by forward1o.mail.yandex.net (Yandex) with ESMTP id 45AB9130142C; Mon, 29 Sep 2014 11:34:43 +0400 (MSK) Received: from 127.0.0.1 (localhost [127.0.0.1]) by web22o.yandex.ru (Yandex) with ESMTP id C02991800CFA; Mon, 29 Sep 2014 11:34:42 +0400 (MSK) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1411976082; bh=9q9qNDcnIv02ESQR3RKHBRFNWAoe8qe6pBemq1WjeUY=; h=From:To:Cc:In-Reply-To:References:Subject:Date; b=OGt4YaQKp2+JNEL29jAsVlgEoH9AQY31Rfx9AOMI37AHGtj1KV5vgV43J7YrKEiLn DvXOQax5QvBRGxVlJUA3AkV8/XYWgDQbwkssejGkyaBp0t4YY4wqJwfcctGtEQd7aH eYsL/ais54zlVQ02iZIbuIaDGo7ippgslUqlDvNE= Received: from broadband-46-188-123-17.2com.net (broadband-46-188-123-17.2com.net [46.188.123.17]) by web22o.yandex.ru with HTTP; Mon, 29 Sep 2014 11:34:42 +0400 From: =?koi8-r?B?69XMxdvP1yDhzMXL08XK?= To: Patrick Proniewski In-Reply-To: References: <2423691411974542@web12j.yandex.ru> Subject: Re: Bash ShellShock bug(s) MIME-Version: 1.0 Message-Id: <1771201411976082@web22o.yandex.ru> X-Mailer: Yamail [ http://yandex.ru ] 5.0 Date: Mon, 29 Sep 2014 11:34:42 +0400 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=koi8-r Cc: "freebsd-security@freebsd.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2014 07:34:56 -0000 Right. Okay then, here it is: # pkg remove bash ... change 'bash' to 'sh' in bashcheck ... # sh bashcheck Not vulnerable to CVE-2014-6271 (original shellshock) Not vulnerable to CVE-2014-7169 (taviso bug) Not vulnerable to CVE-2014-7186 (redir_stack bug) Vulnerable to CVE-2014-7187 (nessted loops off by one) Variable function parser inactive, likely safe from unknown parser bugs So, there is no bash on my system anymore, but script says it has one vulnerability. Is it actually vulnerability or it's me who must take a good sleep? :) 29.09.2014, 11:16, "Patrick Proniewski" : > On 29 sept. 2014, at 09:09, Kuleshov Aleksey wrote: >> šThere is a repository https://github.com/hannob/bashcheck with convenient script to check for vulnerabilities. >> >> š% sh bashcheck >> šVulnerable to CVE-2014-6271 (original shellshock) >> šVulnerable to CVE-2014-7169 (taviso bug) >> šNot vulnerable to CVE-2014-7186 (redir_stack bug) >> šVulnerable to CVE-2014-7187 (nessted loops off by one) >> šVariable function parser still active, likely vulnerable to yet unknown parser bugs like CVE-2014-6277 (lcamtuf bug) >> >> šDoes it mean that FreeBSD's sh is subject to such vulnerabilities? > > No, it just means the script uses bash and your bash is vulnerable. > > patpro