[OpenIndiana-discuss] Bash bug issue
Richard L. Hamilton
rlhamil at smart.net
Thu Oct 2 03:14:24 UTC 2014
On Oct 1, 2014, at 7:06 PM, Bob Friesenhahn <bfriesen at simple.dallas.tx.us> wrote:
> I am not sure who has the ability to build and update OpenIndiana packages, but it will be really really bad for the future of OpenIndiana if it fails to supply a fixed version of its bash package.
>
> This article (including many example exploits) was posted on another list:
>
> http://www.fireeye.com/blog/technical/2014/09/shellshock-in-the-wild.html
>
> Known exploits include Web CGI, DHCP client, OpenVPN, ssh, gitweb, and (possibly) git service. Even if the service is implemented in Perl, Python, Java, or C, it may still be exploitable if it exports externally-provided data as environment variables some program it invokes eventually happens to execute bash.
>
> While bash is not a "native" shell for OpenIndiana, it is quite heavily used. It is unfortunate that it is often used as a user login shell so it is painful to simply move the existing binary to the side.
>
> Bob
> --
> Bob Friesenhahn
> bfriesen at simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
> GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
>
> _______________________________________________
> openindiana-discuss mailing list
> openindiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss
>
More information about the openindiana-discuss
mailing list