From owner-freebsd-questions@FreeBSD.ORG Thu Oct 2 06:09:37 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C94A377A for ; Thu, 2 Oct 2014 06:09:37 +0000 (UTC) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "ca.infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 719379CD for ; Thu, 2 Oct 2014 06:09:37 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.2.117.99]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.9/8.14.9) with ESMTP id s9269Qjn070929 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Thu, 2 Oct 2014 07:09:27 +0100 (BST) (envelope-from matthew@FreeBSD.org) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org DKIM-Filter: OpenDKIM Filter v2.9.2 smtp.infracaninophile.co.uk s9269Qjn070929 Authentication-Results: smtp.infracaninophile.co.uk/s9269Qjn070929; dkim=none reason="no signature"; dkim-adsp=none; dkim-atps=neutral Message-ID: <542CEC15.8010307@FreeBSD.org> Date: Thu, 02 Oct 2014 07:09:25 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: bash/shellshock question .... References: <542CB964.7050003@hiwaay.net> In-Reply-To: <542CB964.7050003@hiwaay.net> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="NRUO6T4Ht07A0gVevkUpoBHgEpBgXDXqg" X-Virus-Scanned: clamav-milter 0.98.4 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Oct 2014 06:09:38 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --NRUO6T4Ht07A0gVevkUpoBHgEpBgXDXqg Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 02/10/2014 03:33, William A. Mahaffey III wrote: >=20 > .... Which version of FBSD 9.3 bash fixes the shellshock problem ? I di= d > a 'pkg upgrade' Monday & my bash got upgraded from 4.3.24 ---> 4.3.25_1= > .... does that version fix the problem ? TIA .... There's more than just the original shellshock bug: there has been a whole series of related bugs. This is the latest: http://www.vuxml.org/freebsd/512d1301-49b9-11e4-ae2c-c80aa9043978.html Right now, you want the latest available version of bash installed, which is bash-4.3.28 at the moment. Keep an eye out for new advisories and updates to the shells/bash port. I think the latest round of patches to bash have probably fixed the underlying problems, but that can only be established properly if they pass the test of time. Otherwise, consider how you are using bash on your systems. If you're only using it as the login shell for some trusted users then you aren't really exposed and don't need to worry very much. If you've got a bunch of web-facing CGI scripts written in bash, or you've configured SSH forced commands using bash then you need to take action. Ultimately switching to /bin/sh for those roles is a very good idea (since /bin/sh is not bash on FreeBSD, for which we may all be sincerely thankful.) Sometimes that's as easy as changing the #! line at the top of the script, but it can involve some significant reprogramming. If you can't make that switch in a timely fashion, then firewall off or disable the vulnerable services. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey --NRUO6T4Ht07A0gVevkUpoBHgEpBgXDXqg Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) iQJ8BAEBCgBmBQJULOwVXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATTv8QAJllj3TF6E0vl7LYXH0d/GMM hLpLJ6bn8ZHOk+kZ4heFdm2eKiimfWp8x+nLjVCv3t2ecyU+Sox3RLHvXlhQd/Ma S5Pp1DQroP0lz9BZwHRzP94erpR0xtZ1D186wBG+Oc6qu+jtYu7bDDkvat4UZWtC EvNjUrSEAUB4doYOfbAc96wS2ivIeYSzcnqRriQD0RwcGHzIUAMSWgJSefpngKAB KBokA85MQ8u78TxP0ePtXV86Zp+Fqi4F15h+2NVB/ma+jeIojJt11eRaP/xDREUE pGxeKYpZF9VVx/Gc85cm9cBMXiZ9PP0QdPSZtEuVv2Oz9FTtWKaHa8oYaiBowx0O 6x8iRGxEMfBdu//JqTte/DLjU4pV4FmEYn+6tH+/QIIQWeAH8hSCJbx99B8JqWuY OTmijXXcyOexntZ4JiOETMPPX5491CO/IUVGQv8CQebjsGsPjTtLj7UcEDbVe2Zi Iee83oSrrE7aYq2loRHQwbXYjsh4QaYK6lcWKHu/fFVoJwYcEjdfhXMx3P6i27aR VkPf+v9o41ISfoS7avX+SNrx7yjOAOzHeXZzCRYiEaqPgvenumgYwfrBN6MsaOa6 Yt2SJE1oM4RNtJhqsiAVLOFAwNAgAWnlsb00zKWB/Q+OZ5mkJ51NsuLI2LB8uEVS LW/FZRfgVu2c3k9k/gSI =z3ov -----END PGP SIGNATURE----- --NRUO6T4Ht07A0gVevkUpoBHgEpBgXDXqg--