[OpenIndiana-discuss] Bash bug issue
Gary Gendel
gary at genashor.com
Fri Sep 26 23:47:06 UTC 2014
The current maintainer says it's been in bash for ~20 years, why it's
not in Solaris 10 is a mystery.
On 9/26/14, 7:41 PM, Nemo wrote:
> On 26 September 2014 17:02, Harry Putnam <reader at newsguy.com> wrote:
>> Gary Gendel <gary at genashor.com> writes:
>>
>>> I believe we mostly skirt the issue because, unlike Linux, the default
>>> shell (/bin/sh) is ksh93 not bash. This means that under normal
>>> conditions we shouldn't have an issue. Only if your cgi scripts
>>> actually request bash will apache be a problem. As for ssh, it
>>> depends upon the login shell for the user.
>> So, do you mean that ksh93 does not have the vulnerability?
> Whence does the OI bash source originate? On the bash that comes with
> Solaris 10,
> the vulnerability is not present:
>
> [~]=> bash --version
> GNU bash, version 3.00.16(1)-release (sparc-sun-solaris2.10)
> Copyright (C) 2004 Free Software Foundation, Inc.
> [~]=> env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
> completed
>
>
> N.
>
> _______________________________________________
> openindiana-discuss mailing list
> openindiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss
More information about the openindiana-discuss
mailing list