On 9/25/2014 11:13 AM, Jung-uk Kim wrote: > On 2014-09-25 02:54:06 -0400, Koichiro Iwao wrote: >> Please let me make corrections. The "shellshock" bash >> vulnerabilities are described by 2 CVEs. - CVE-2014-6271 - >> CVE-2014-7169 >> >> The first CVE is already fixed in latest freebsd ports tree >> (r369185), so far the second CVE is not fixed yet. > > CVE-2014-7169 is fixed now (r369261). > > http://svnweb.freebsd.org/changeset/ports/369261 > > Note the commit log says CVE-2014-3659 but it was actually reassigned > as CVE-2014-7169. > > Jung-uk Kim >
The port is fixed with all known public exploits. The package is building currently. However bash still allows the crazy exporting of functions and may still have other parser bugs. I would recommend for the immediate future not using bash for forced ssh commands as well as these guidelines: 1. Do not ever link /bin/sh to bash. This is why it is such a big problem on Linux, as system(3) will run bash by default from CGI. 2. Web/CGI users should have shell of /sbin/nologin. 3. Don't write CGI in shell script / Stop using CGI :) 4. httpd/CGId should never run as root, nor "apache". Sandbox each application into its own user. 5. Custom restrictive shells, like scponly, should not be written in bash. 6. SSH authorized_keys/sshd_config forced commands should also not be written in bash. Cheers, Bryan Drewery
signature.asc
Description: OpenPGP digital signature