[OpenIndiana-discuss] Bash bug issue
Roelof van der Wal
roelof at out-side.nl
Thu Oct 2 17:00:43 UTC 2014
The -07 version of the solaris 10 Oracle patch is from last monday. Seems
to me it fixes all. But had little time to test it.
On 2 oktober 2014 17:24:00 Alan Coopersmith <alan.coopersmith at oracle.com>
wrote:
> On 10/ 2/14 07:20 AM, Bob Friesenhahn wrote:
> > On Thu, 2 Oct 2014, Brandon Hume wrote:
> >
> >> On 26/09/2014 8:47 PM, Gary Gendel wrote:
> >>> The current maintainer says it's been in bash for ~20 years, why it's
> not in
> >>> Solaris 10 is a mystery.
> >>
> >> It is in Solaris 10. (And 11.) The test being used is flawed:
> >>
> >> env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
> >
> > The good news is that if you have a support contract, there is a Solaris
> 10 bash
> > patch which seems to solve all the reported attack vectors (in my own
> testing).
> > It took Oracle two patches to get things right.
>
> People found more bugs after the first patch went out. There are 6 CVE's for
> bash announced in the last week after all.
>
> --
> -Alan Coopersmith- alan.coopersmith at oracle.com
> Oracle Solaris Engineering - http://blogs.oracle.com/alanc
>
> _______________________________________________
> openindiana-discuss mailing list
> openindiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss
More information about the openindiana-discuss
mailing list