[OpenIndiana-discuss] Bash bug issue

Richard L. Hamilton rlhamil at smart.net
Thu Oct 2 03:12:20 UTC 2014 

I’m  in a similar situation: Solaris 11 at home, without support contract.  My solution was to install OpenCSW’s updated bash (I had OpenCSW in place anyway), move /usr/bin/bash out of the way, and symlink /opt/csw/bin/bash to /usr/bin/bash.

Use a copy instead of a symlink if /opt is a separate filesystem!  And remember to undo those changes to /usr/bin _before_ installing a properly packaged update.

Until Apple released their fix, I did something similar on my Macs using MacPorts.

It’s temporary, and all my publicly accessible web servers etc have access controls anyway; but until a legitimate update comes along, it’s a lot better than nothing.  For Solaris 11, I’ll just have to wait for 11.3 to have an official fix without support contract (probably six months or so?).
 
On Oct 1, 2014, at 7:06 PM, Bob Friesenhahn <bfriesen at simple.dallas.tx.us> wrote:

> I am not sure who has the ability to build and update OpenIndiana packages, but it will be really really bad for the future of OpenIndiana if it fails to supply a fixed version of its bash package.
> 
> This article (including many example exploits) was posted on another list:
> 
> http://www.fireeye.com/blog/technical/2014/09/shellshock-in-the-wild.html
> 
> Known exploits include Web CGI, DHCP client, OpenVPN, ssh, gitweb, and (possibly) git service.  Even if the service is implemented in Perl, Python, Java, or C, it may still be exploitable if it exports externally-provided data as environment variables some program it invokes eventually happens to execute bash.
> 
> While bash is not a "native" shell for OpenIndiana, it is quite heavily used.  It is unfortunate that it is often used as a user login shell so it is painful to simply move the existing binary to the side.
> 
> Bob
> -- 
> Bob Friesenhahn
> bfriesen at simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
> GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
> 
> _______________________________________________
> openindiana-discuss mailing list
> openindiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss
>

More information about the openindiana-discuss mailing list