On 2014-09-29 12:13:15 -0400, Bryan Drewery wrote: > On 9/29/2014 11:01 AM, Mike Tancsa wrote: >> On 9/26/2014 5:01 PM, Bryan Drewery wrote: >>> On 9/26/2014 12:41 PM, Bryan Drewery wrote: >>>> On 9/26/2014 11:51 AM, Bryan Drewery wrote: >>>>> On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: >>>>>> Apparently, the full fix is still not delivered, accordingly to this: >>>>>> http://seclists.org/oss-sec/2014/q3/741 >>>>>> >>>>>> Kind regards, >>>>>> Bartek Rutkowski >>>>>> >>>>> >>>>> I'm pretty sure they call that a "feature". This is a bit different. >>> >>> I've disabled environment function importing in the port. Using >>> --import-functions will allow it to work if you need it. >> >> Hi Bryan, >> With the latest ports, bashcheck still sees some issues with bash. >> Are these false positives on FreeBSD ? >> >> Using >> https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck >> >> Not vulnerable to CVE-2014-6271 (original shellshock) >> Not vulnerable to CVE-2014-7169 (taviso bug) >> ./bashcheck: line 18: 54908 Segmentation fault (core dumped) bash >> -c "true $(printf '<<EOF %.0s' {1..79})" 2> /dev/null >> Vulnerable to CVE-2014-7186 (redir_stack bug) >> Test for CVE-2014-7187 not reliable without address sanitizer >> Variable function parser inactive, likely safe from unknown parser bugs >> >> ---Mike > > Yes we have not applied the RedHat fix for CVE-2014-7186 or CVE-2014-7187.
Applying the first patch for parse.y from the following post passed the tests for me. http://www.openwall.com/lists/oss-security/2014/09/25/32 In fact, all major Linux distros seem to use it now. FYI, Jung-uk Kim _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
