[OpenIndiana-discuss] Bash bug issue
outsider
openindiana at out-side.nl
Thu Oct 2 20:37:27 UTC 2014
It is very strange with the oracle updates for Solaris 10 & 11
Is far as I can see, Solaris 10 and Solaris 11 get different bash versions
after the patch.
I don't know what is allowed to say about it in public, but both test
negative on the (simple) shockshell tests I found.
(so they seem secured)
-----Oorspronkelijk bericht-----
Van: Alan Coopersmith [mailto:alan.coopersmith at oracle.com]
Verzonden: donderdag 2 oktober 2014 17:10
Aan: Discussion list for OpenIndiana
Onderwerp: Re: [OpenIndiana-discuss] Bash bug issue
On 10/ 2/14 07:20 AM, Bob Friesenhahn wrote:
> On Thu, 2 Oct 2014, Brandon Hume wrote:
>
>> On 26/09/2014 8:47 PM, Gary Gendel wrote:
>>> The current maintainer says it's been in bash for ~20 years, why
>>> it's not in Solaris 10 is a mystery.
>>
>> It is in Solaris 10. (And 11.) The test being used is flawed:
>>
>> env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
>
> The good news is that if you have a support contract, there is a
> Solaris 10 bash patch which seems to solve all the reported attack vectors
(in my own testing).
> It took Oracle two patches to get things right.
People found more bugs after the first patch went out. There are 6 CVE's
for
bash announced in the last week after all.
--
-Alan Coopersmith- alan.coopersmith at oracle.com
Oracle Solaris Engineering - http://blogs.oracle.com/alanc
_______________________________________________
openindiana-discuss mailing list
openindiana-discuss at openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
More information about the openindiana-discuss
mailing list