On Thu, 2 Oct 2014, Brandon Hume wrote:
On 26/09/2014 8:47 PM, Gary Gendel wrote:
The current maintainer says it's been in bash for ~20 years, why it's not
in Solaris 10 is a mystery.
It is in Solaris 10. (And 11.) The test being used is flawed:
env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
The good news is that if you have a support contract, there is a
Solaris 10 bash patch which seems to solve all the reported attack
vectors (in my own testing). It took Oracle two patches to get things
right.
The obvious replacement for Solaris 10 has been OpenIndiana but
unfortunately, OpenIndiana has not been issuing any fixes for even the
most high-profile security issues (like this one).
Bob
--
Bob Friesenhahn
[email protected], http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
_______________________________________________
openindiana-discuss mailing list
[email protected]
http://openindiana.org/mailman/listinfo/openindiana-discuss
