bash velnerability
Bryan Drewery
bdrewery at FreeBSD.org
Fri Sep 26 16:51:51 UTC 2014
On 9/26/2014 11:46 AM, Bartek Rutkowski wrote:
> On Fri, Sep 26, 2014 at 6:40 PM, Bryan Drewery <bdrewery at freebsd.org> wrote:
>> On 9/26/2014 2:36 AM, Steve Clement wrote:
>>> Dear all,
>>>
>>> In case you urgently need to go the manual route, here is one way to really patch your systems:
>>>
>>> https://www.circl.lu/pub/tr-27/
>>>
>>> Until the patch is in the bash upstream… (which it might be by now)
>>>
>>> Take care,
>>>
>>
>> The port has had the fixes since yesterday. The packages are building.
>>
>> --
>> Regards,
>> Bryan Drewery
>>
>
> Apparently, the full fix is still not delivered, accordingly to this:
> http://seclists.org/oss-sec/2014/q3/741
>
> Kind regards,
> Bartek Rutkowski
>
I'm pretty sure they call that a "feature". This is a bit different.
This is modifying the command used to call a function as the feature
intends. The vulnerability was that just parsing the environment would
execute the code.
TL;DR; You should cleanse your environment and only accept valid input
to work around this feature. The bash developer (Chet) said he would not
remove it by default, at least a few days ago.
--
Regards,
Bryan Drewery
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140926/b8aba071/attachment.sig>
More information about the freebsd-security
mailing list