On 9/27/14, 1:41 AM, Nemo wrote: > On 26 September 2014 17:02, Harry Putnam <[email protected]> wrote: >> Gary Gendel <[email protected]> writes: >> >>> I believe we mostly skirt the issue because, unlike Linux, the default >>> shell (/bin/sh) is ksh93 not bash. This means that under normal >>> conditions we shouldn't have an issue. Only if your cgi scripts >>> actually request bash will apache be a problem. As for ssh, it >>> depends upon the login shell for the user. >> >> So, do you mean that ksh93 does not have the vulnerability? > > Whence does the OI bash source originate? On the bash that comes with > Solaris 10, > the vulnerability is not present: > > [~]=> bash --version > GNU bash, version 3.00.16(1)-release (sparc-sun-solaris2.10) > Copyright (C) 2004 Free Software Foundation, Inc. > [~]=> env X="() { :;} ; echo busted" /bin/sh -c "echo completed" > completed
In general, bash != /bin/sh on either Solaris or Illumos-derived systems. Rerun the env test with bash instead of /bin/sh. -- Saso _______________________________________________ openindiana-discuss mailing list [email protected] http://openindiana.org/mailman/listinfo/openindiana-discuss
