bash velnerability
Bryan Drewery
bdrewery at FreeBSD.org
Mon Sep 29 16:13:28 UTC 2014
On 9/29/2014 11:01 AM, Mike Tancsa wrote:
> On 9/26/2014 5:01 PM, Bryan Drewery wrote:
>> On 9/26/2014 12:41 PM, Bryan Drewery wrote:
>>> On 9/26/2014 11:51 AM, Bryan Drewery wrote:
>>>> On 9/26/2014 11:46 AM, Bartek Rutkowski wrote:
>>>>> Apparently, the full fix is still not delivered, accordingly to this:
>>>>> http://seclists.org/oss-sec/2014/q3/741
>>>>>
>>>>> Kind regards,
>>>>> Bartek Rutkowski
>>>>>
>>>>
>>>> I'm pretty sure they call that a "feature". This is a bit different.
>>
>> I've disabled environment function importing in the port. Using
>> --import-functions will allow it to work if you need it.
>
> Hi Bryan,
> With the latest ports, bashcheck still sees some issues with bash.
> Are these false positives on FreeBSD ?
>
> Using
> https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck
>
> Not vulnerable to CVE-2014-6271 (original shellshock)
> Not vulnerable to CVE-2014-7169 (taviso bug)
> ./bashcheck: line 18: 54908 Segmentation fault (core dumped) bash
> -c "true $(printf '<<EOF %.0s' {1..79})" 2> /dev/null
> Vulnerable to CVE-2014-7186 (redir_stack bug)
> Test for CVE-2014-7187 not reliable without address sanitizer
> Variable function parser inactive, likely safe from unknown parser bugs
>
> ---Mike
Yes we have not applied the RedHat fix for CVE-2014-7186 or CVE-2014-7187.
--
Regards,
Bryan Drewery
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20140929/5e8e4e91/attachment.sig>
More information about the freebsd-ports
mailing list