On Wed, Oct 8, 2014, at 01:05 AM, Jason Adams wrote: > On 09/29/2014 05:00 AM, Peter Hessler wrote: > > You tested bash. All 3 shells are behaving correctly by passing the env > > variable to the bash command you are running. the bash command you are > > running is behaving incorrectly by parsing the variable as a function. > > So the question is, for those of us that have added the bash package, > why is bash still vulnerable after all these weeks, when everyone else > has fixed > their bash packages? > > Just checked for updated pkg, today, and its still vulnerable. >
This is not really a general OBSD question because it's not part of base. Ask the maintainer of the bash package why it hasn't been updated. Maybe the ports list? Or you could do it yourself.
