[OpenIndiana-discuss] Bash bug issue
Bob Friesenhahn
bfriesen at simple.dallas.tx.us
Thu Oct 2 14:20:09 UTC 2014
On Thu, 2 Oct 2014, Brandon Hume wrote:
> On 26/09/2014 8:47 PM, Gary Gendel wrote:
>> The current maintainer says it's been in bash for ~20 years, why it's not
>> in Solaris 10 is a mystery.
>
> It is in Solaris 10. (And 11.) The test being used is flawed:
>
> env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
The good news is that if you have a support contract, there is a
Solaris 10 bash patch which seems to solve all the reported attack
vectors (in my own testing). It took Oracle two patches to get things
right.
The obvious replacement for Solaris 10 has been OpenIndiana but
unfortunately, OpenIndiana has not been issuing any fixes for even the
most high-profile security issues (like this one).
Bob
--
Bob Friesenhahn
bfriesen at simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
More information about the openindiana-discuss
mailing list