Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 02 Oct 2014 07:09:25 +0100
From:      Matthew Seaman <matthew@FreeBSD.org>
To:        freebsd-questions@freebsd.org
Subject:   Re: bash/shellshock question ....
Message-ID:  <542CEC15.8010307@FreeBSD.org>
In-Reply-To: <542CB964.7050003@hiwaay.net>
References:  <542CB964.7050003@hiwaay.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--NRUO6T4Ht07A0gVevkUpoBHgEpBgXDXqg
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 02/10/2014 03:33, William A. Mahaffey III wrote:
>=20
> .... Which version of FBSD 9.3 bash fixes the shellshock problem ? I di=
d
> a 'pkg upgrade' Monday & my bash got upgraded from 4.3.24 ---> 4.3.25_1=

> .... does that version fix the problem ? TIA ....

There's more than just the original shellshock bug: there has been a
whole series of related bugs.  This is the latest:

http://www.vuxml.org/freebsd/512d1301-49b9-11e4-ae2c-c80aa9043978.html

Right now, you want the latest available version of bash installed,
which is bash-4.3.28 at the moment.  Keep an eye out for new advisories
and updates to the shells/bash port.

I think the latest round of patches to bash have probably fixed the
underlying problems, but that can only be established properly if they
pass the test of time.

Otherwise, consider how you are using bash on your systems.  If you're
only using it as the login shell for some trusted users then you aren't
really exposed and don't need to worry very much.  If you've got a bunch
of web-facing CGI scripts written in bash, or you've configured SSH
forced commands using bash then you need to take action.  Ultimately
switching to /bin/sh for those roles is a very good idea (since /bin/sh
is not bash on FreeBSD, for which we may all be sincerely thankful.)
Sometimes that's as easy as changing the #! line at the top of the
script, but it can involve some significant reprogramming.  If you can't
make that switch in a timely fashion, then firewall off or disable the
vulnerable services.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey



--NRUO6T4Ht07A0gVevkUpoBHgEpBgXDXqg
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.20 (Darwin)

iQJ8BAEBCgBmBQJULOwVXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC
QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATTv8QAJllj3TF6E0vl7LYXH0d/GMM
hLpLJ6bn8ZHOk+kZ4heFdm2eKiimfWp8x+nLjVCv3t2ecyU+Sox3RLHvXlhQd/Ma
S5Pp1DQroP0lz9BZwHRzP94erpR0xtZ1D186wBG+Oc6qu+jtYu7bDDkvat4UZWtC
EvNjUrSEAUB4doYOfbAc96wS2ivIeYSzcnqRriQD0RwcGHzIUAMSWgJSefpngKAB
KBokA85MQ8u78TxP0ePtXV86Zp+Fqi4F15h+2NVB/ma+jeIojJt11eRaP/xDREUE
pGxeKYpZF9VVx/Gc85cm9cBMXiZ9PP0QdPSZtEuVv2Oz9FTtWKaHa8oYaiBowx0O
6x8iRGxEMfBdu//JqTte/DLjU4pV4FmEYn+6tH+/QIIQWeAH8hSCJbx99B8JqWuY
OTmijXXcyOexntZ4JiOETMPPX5491CO/IUVGQv8CQebjsGsPjTtLj7UcEDbVe2Zi
Iee83oSrrE7aYq2loRHQwbXYjsh4QaYK6lcWKHu/fFVoJwYcEjdfhXMx3P6i27aR
VkPf+v9o41ISfoS7avX+SNrx7yjOAOzHeXZzCRYiEaqPgvenumgYwfrBN6MsaOa6
Yt2SJE1oM4RNtJhqsiAVLOFAwNAgAWnlsb00zKWB/Q+OZ5mkJ51NsuLI2LB8uEVS
LW/FZRfgVu2c3k9k/gSI
=z3ov
-----END PGP SIGNATURE-----

--NRUO6T4Ht07A0gVevkUpoBHgEpBgXDXqg--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?542CEC15.8010307>