Bash ShellShock bug(s)
Erik Stian Tefre
erik at tefre.com
Thu Sep 25 13:28:20 UTC 2014
I hereby declare the bash ShellShock bug(s) worthy of mention. Yes, bash
is just a port in FreeBSD, but:
Hundreds of other ports (including network accessible ports) seem to
depend on shells/bash. (Figuring out if they use it in a vulnerable way
or not is left as an exercise for the reader.)
Custom/third party apps might also be using bash.
Some users perfer to chsh -s bash.
[> Insert your favourite reason to patch here <]
References to the ShellShock bug(s):
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
^ Seems to be patched in ports, bash >= 4.3.25.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
^ Patch does not yet exist?
Here's a little copy-and-paste exercise for verifying CVE-2014-6271
vulnerability:
env var='() { ignore this;}; echo vulnerable' bash -c /usr/bin/true
--
Erik
More information about the freebsd-security
mailing list