On 09/25/2014 10:25 PM, ian kremlin wrote: > /bin/sh is an implementation of *the bourne shell*, not the > bourne-again shell (bash). in any case, neither /bin/sh nor ksh are > vulnerable to the recent "shellshock" vulnerability.
Also, if OpenBSD had bash it still wouldn't be such a big issue as it is in Linux. The most common attack vector is Apache with PHP with scripts calling to system(), shell_exec(), etc. Since hosts with OBSD have httpd chrooted, even if they installed PHP, /bin/sh wouldn't be inside the jail. And even if they added /bin/sh and someone was able to exploit it, they will be trapped inside the jail. Of course this is all hypothetical because OBSD doesn't have bash to begin with. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]