On Oct 1, 2014, at 7:06 PM, Bob Friesenhahn <bfrie...@simple.dallas.tx.us> wrote:
> I am not sure who has the ability to build and update OpenIndiana packages, > but it will be really really bad for the future of OpenIndiana if it fails to > supply a fixed version of its bash package. > > This article (including many example exploits) was posted on another list: > > http://www.fireeye.com/blog/technical/2014/09/shellshock-in-the-wild.html > > Known exploits include Web CGI, DHCP client, OpenVPN, ssh, gitweb, and > (possibly) git service. Even if the service is implemented in Perl, Python, > Java, or C, it may still be exploitable if it exports externally-provided > data as environment variables some program it invokes eventually happens to > execute bash. > > While bash is not a "native" shell for OpenIndiana, it is quite heavily used. > It is unfortunate that it is often used as a user login shell so it is > painful to simply move the existing binary to the side. > > Bob > -- > Bob Friesenhahn > bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ > GraphicsMagick Maintainer, http://www.GraphicsMagick.org/ > > _______________________________________________ > openindiana-discuss mailing list > openindiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss > _______________________________________________ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss