On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: > On Fri, Sep 26, 2014 at 6:40 PM, Bryan Drewery <[email protected]> wrote: >> On 9/26/2014 2:36 AM, Steve Clement wrote: >>> Dear all, >>> >>> In case you urgently need to go the manual route, here is one way to really >>> patch your systems: >>> >>> https://www.circl.lu/pub/tr-27/ >>> >>> Until the patch is in the bash upstream… (which it might be by now) >>> >>> Take care, >>> >> >> The port has had the fixes since yesterday. The packages are building. >> >> -- >> Regards, >> Bryan Drewery >> > > Apparently, the full fix is still not delivered, accordingly to this: > http://seclists.org/oss-sec/2014/q3/741 > > Kind regards, > Bartek Rutkowski >
I'm pretty sure they call that a "feature". This is a bit different. This is modifying the command used to call a function as the feature intends. The vulnerability was that just parsing the environment would execute the code. TL;DR; You should cleanse your environment and only accept valid input to work around this feature. The bash developer (Chet) said he would not remove it by default, at least a few days ago. -- Regards, Bryan Drewery
signature.asc
Description: OpenPGP digital signature
