bash/shellshock question ....
Matthew Seaman
matthew at FreeBSD.org
Thu Oct 2 06:09:38 UTC 2014
On 02/10/2014 03:33, William A. Mahaffey III wrote:
>
> .... Which version of FBSD 9.3 bash fixes the shellshock problem ? I did
> a 'pkg upgrade' Monday & my bash got upgraded from 4.3.24 ---> 4.3.25_1
> .... does that version fix the problem ? TIA ....
There's more than just the original shellshock bug: there has been a
whole series of related bugs. This is the latest:
http://www.vuxml.org/freebsd/512d1301-49b9-11e4-ae2c-c80aa9043978.html
Right now, you want the latest available version of bash installed,
which is bash-4.3.28 at the moment. Keep an eye out for new advisories
and updates to the shells/bash port.
I think the latest round of patches to bash have probably fixed the
underlying problems, but that can only be established properly if they
pass the test of time.
Otherwise, consider how you are using bash on your systems. If you're
only using it as the login shell for some trusted users then you aren't
really exposed and don't need to worry very much. If you've got a bunch
of web-facing CGI scripts written in bash, or you've configured SSH
forced commands using bash then you need to take action. Ultimately
switching to /bin/sh for those roles is a very good idea (since /bin/sh
is not bash on FreeBSD, for which we may all be sincerely thankful.)
Sometimes that's as easy as changing the #! line at the top of the
script, but it can involve some significant reprogramming. If you can't
make that switch in a timely fashion, then firewall off or disable the
vulnerable services.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 971 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20141002/a2a3d137/attachment.sig>
More information about the freebsd-questions
mailing list