bash velnerability
Bryan Drewery
bdrewery at FreeBSD.org
Thu Sep 25 16:57:49 UTC 2014
On 9/25/2014 11:13 AM, Jung-uk Kim wrote:
> On 2014-09-25 02:54:06 -0400, Koichiro Iwao wrote:
>> Please let me make corrections. The "shellshock" bash
>> vulnerabilities are described by 2 CVEs. - CVE-2014-6271 -
>> CVE-2014-7169
>>
>> The first CVE is already fixed in latest freebsd ports tree
>> (r369185), so far the second CVE is not fixed yet.
>
> CVE-2014-7169 is fixed now (r369261).
>
> http://svnweb.freebsd.org/changeset/ports/369261
>
> Note the commit log says CVE-2014-3659 but it was actually reassigned
> as CVE-2014-7169.
>
> Jung-uk Kim
>
The port is fixed with all known public exploits. The package is
building currently.
However bash still allows the crazy exporting of functions and may still
have other parser bugs. I would recommend for the immediate future not
using bash for forced ssh commands as well as these guidelines:
1. Do not ever link /bin/sh to bash. This is why it is such a big
problem on Linux, as system(3) will run bash by default from CGI.
2. Web/CGI users should have shell of /sbin/nologin.
3. Don't write CGI in shell script / Stop using CGI :)
4. httpd/CGId should never run as root, nor "apache". Sandbox each
application into its own user.
5. Custom restrictive shells, like scponly, should not be written in bash.
6. SSH authorized_keys/sshd_config forced commands should also not be
written in bash.
Cheers,
Bryan Drewery
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140925/c56ecf3f/attachment.sig>
More information about the freebsd-security
mailing list