It is very strange with the oracle updates for Solaris 10 & 11 Is far as I can see, Solaris 10 and Solaris 11 get different bash versions after the patch. I don't know what is allowed to say about it in public, but both test negative on the (simple) shockshell tests I found. (so they seem secured)
-----Oorspronkelijk bericht----- Van: Alan Coopersmith [mailto:alan.coopersm...@oracle.com] Verzonden: donderdag 2 oktober 2014 17:10 Aan: Discussion list for OpenIndiana Onderwerp: Re: [OpenIndiana-discuss] Bash bug issue On 10/ 2/14 07:20 AM, Bob Friesenhahn wrote: > On Thu, 2 Oct 2014, Brandon Hume wrote: > >> On 26/09/2014 8:47 PM, Gary Gendel wrote: >>> The current maintainer says it's been in bash for ~20 years, why >>> it's not in Solaris 10 is a mystery. >> >> It is in Solaris 10. (And 11.) The test being used is flawed: >> >> env X="() { :;} ; echo busted" /bin/sh -c "echo completed" > > The good news is that if you have a support contract, there is a > Solaris 10 bash patch which seems to solve all the reported attack vectors (in my own testing). > It took Oracle two patches to get things right. People found more bugs after the first patch went out. There are 6 CVE's for bash announced in the last week after all. -- -Alan Coopersmith- alan.coopersm...@oracle.com Oracle Solaris Engineering - http://blogs.oracle.com/alanc _______________________________________________ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss _______________________________________________ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss