Date: Mon, 29 Sep 2014 11:34:42 +0400 From: =?koi8-r?B?69XMxdvP1yDhzMXL08XK?= <rndfax@yandex.ru> To: Patrick Proniewski <patpro@patpro.net> Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: Bash ShellShock bug(s) Message-ID: <1771201411976082@web22o.yandex.ru> In-Reply-To: <B5F07349-45ED-4B38-892A-2F7F4A25C085@patpro.net> References: <2423691411974542@web12j.yandex.ru> <B5F07349-45ED-4B38-892A-2F7F4A25C085@patpro.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Right. Okay then, here it is: # pkg remove bash ... change 'bash' to 'sh' in bashcheck ... # sh bashcheck Not vulnerable to CVE-2014-6271 (original shellshock) Not vulnerable to CVE-2014-7169 (taviso bug) Not vulnerable to CVE-2014-7186 (redir_stack bug) Vulnerable to CVE-2014-7187 (nessted loops off by one) Variable function parser inactive, likely safe from unknown parser bugs So, there is no bash on my system anymore, but script says it has one vulnerability. Is it actually vulnerability or it's me who must take a good sleep? :) 29.09.2014, 11:16, "Patrick Proniewski" <patpro@patpro.net>: > On 29 sept. 2014, at 09:09, Kuleshov Aleksey <rndfax@yandex.ru> wrote: >> šThere is a repository https://github.com/hannob/bashcheck with convenient script to check for vulnerabilities. >> >> š% sh bashcheck >> šVulnerable to CVE-2014-6271 (original shellshock) >> šVulnerable to CVE-2014-7169 (taviso bug) >> šNot vulnerable to CVE-2014-7186 (redir_stack bug) >> šVulnerable to CVE-2014-7187 (nessted loops off by one) >> šVariable function parser still active, likely vulnerable to yet unknown parser bugs like CVE-2014-6277 (lcamtuf bug) >> >> šDoes it mean that FreeBSD's sh is subject to such vulnerabilities? > > No, it just means the script uses bash and your bash is vulnerable. > > patpro
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1771201411976082>