[OpenIndiana-discuss] Bash bug issue

Udo Grabowski (IMK) udo.grabowski at kit.edu
Thu Sep 25 11:20:17 UTC 2014


On 25/09/2014 13:08, Carl Brewer wrote:
> On 25/09/2014 6:50 PM, Alexander Pyhalov wrote:
>> On 09/25/2014 12:46, Udo Grabowski (IMK) wrote:
>>> On 25/09/2014 10:42, Jonathan Adams wrote:
>>>> http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/
>>>>
>>> The bug "works", so we are affected with everything that
>>> is based on bash, as well as all users using bash in their
>>> projects.
>>> This is a bug with high impact and risks, so a fix should be
>>> available for oi dev and hipster as fast as possible.
>>
>> Hello.
>> I've seen fix for CVE-2014-6271, which I've already committed, but not
>> for CVE-2014-7169...
>>
>
> I'm stuck on 151a8 at the moment, is there any chance a fixed bash
> binary could be made available somewhere?
>

Recent discussions seem to lead to a general security concern
with the crippled bash parser, so there nearly certainly will
be more and more security issues in the next days to come up.
I think the better alternative is to provide 'dash' and symlink
bash to dash instead, as dash much cleaner, faster, and POSIX -
compliant. Although, as it has not been widely used as bash
yet, could have its own bugs not yet discovered....
-- 
Dr.Udo Grabowski   Inst.f.Meteorology & Climate Research IMK-ASF-SAT
http://www.imk-asf.kit.edu/english/sat.php
KIT - Karlsruhe Institute of Technology           http://www.kit.edu
Postfach 3640,76021 Karlsruhe,Germany T:(+49)721 608-26026 F:-926026



More information about the openindiana-discuss mailing list