Bash ShellShock bug(s)
Кулешов Алексей
rndfax at yandex.ru
Mon Sep 29 07:34:56 UTC 2014
Right. Okay then, here it is:
# pkg remove bash
... change 'bash' to 'sh' in bashcheck ...
# sh bashcheck
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Vulnerable to CVE-2014-7187 (nessted loops off by one)
Variable function parser inactive, likely safe from unknown parser bugs
So, there is no bash on my system anymore, but script says it has one vulnerability.
Is it actually vulnerability or it's me who must take a good sleep? :)
29.09.2014, 11:16, "Patrick Proniewski" <patpro at patpro.net>:
> On 29 sept. 2014, at 09:09, Kuleshov Aleksey <rndfax at yandex.ru> wrote:
>> There is a repository https://github.com/hannob/bashcheck with convenient script to check for vulnerabilities.
>>
>> % sh bashcheck
>> Vulnerable to CVE-2014-6271 (original shellshock)
>> Vulnerable to CVE-2014-7169 (taviso bug)
>> Not vulnerable to CVE-2014-7186 (redir_stack bug)
>> Vulnerable to CVE-2014-7187 (nessted loops off by one)
>> Variable function parser still active, likely vulnerable to yet unknown parser bugs like CVE-2014-6277 (lcamtuf bug)
>>
>> Does it mean that FreeBSD's sh is subject to such vulnerabilities?
>
> No, it just means the script uses bash and your bash is vulnerable.
>
> patpro
More information about the freebsd-security
mailing list