Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 29 Sep 2014 10:09:37 +0200
From:      Polytropon <freebsd@edvax.de>
To:        Everett Batey <efbatey@gmail.com>
Cc:        Questions at FreeBSD <questions@freebsd.org>
Subject:   Re: BASH Shellshock and FreeBSD 4.X
Message-ID:  <20140929100937.0527cbae.freebsd@edvax.de>
In-Reply-To: <CAFBwhDY-dmS476OPWEBnj=TtywDQnCA8scOEmWdoxQwB_KNb6g@mail.gmail.com>
References:  <CAFBwhDY-dmS476OPWEBnj=TtywDQnCA8scOEmWdoxQwB_KNb6g@mail.gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Sun, 28 Sep 2014 13:59:13 -0700, Everett Batey wrote:
> Severely stuck in Time - OLD FBSD .. any bright ideas around /bin/bash
> risks AND NOT DONT TELL ME UPDATE FBSD .. - Dependencies I can NOT
> escape ..

Even if you actually have /bin/bash (in the root file system),
it's not the system's scripting shell, standard subshell or
standard interactive shell - except you made that change which
usually is a Very Bad Idea(TM). Just because bash is installed
doesn't imply your system is vulnerable to shellshock. If you
have read about the construction of the exploit, you will know
if you have vulnerable services running. But if you're just
using bash as an interactive shell for a user, it shouldn't be
a problem. :-)

Updating a 3rd party shell does _not_ require updating your
whole operating system. It _might_ be possible that you will
encounter dependency problems (programs that depend on a
specific version of bash, or bash itself that will require
specific versions of other ports), but that should be a
minimal problem and easily be solved. Note that bash is _not_
partof the FreeBSD operating system and therefore only lives
in "/usr/local space".

FreeBSD's standard scripting shell (and process subshell) is
not bash, it's sh, a Bourne shell descendant in its implementation
ash (Almquist shell) which is _not_ affected by shellshock.
The C shell, FreeBSD's standard dialog shell, also doesn't care.



> On other hand for FreeBSD 9.1-RELEASE-p7 is there an equivalent of yum
> update bash?

That depends on if you're using pkgng or pkg_ tools - or ports.

The "impolite" method with (old) pkg_ tools:

	# pkg_delete -f /var/db/pkg/bash-x.y.z
	# pkg_add -r bash

You can use tab completition to get the version number right.

If you're using ports:

	# portsnap fetch update
	# cd /usr/ports/shells/bash
	# make deinstall
	# make
	# make reinstall

You should now have the current (patched) version installed from
source. Additionally, you can set custom options for bash if you
need to (for example WITH_STATIC_BASH) - you only _have_ to do
this if the default options (from which the packages are built)
do not fit your requirements.

Do you use a port management tool like portupgrade or portmaster?
You can do it with one command:

	# portupgrade bash

or

	# portmaster shells/bash

Use the -P option if you don't want to compile from source, but use
the binary package (similar to pkg_add mentioned above). See the
manual of the program for reference.

But if you're already using pkgng on your system, it's easier:

	# pkg upgrade bash

This also uses a binary updating method.



-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20140929100937.0527cbae.freebsd>