On Friday September 26 2014 06:51:01 Nathan Brazil wrote: > Looking through the details for the 2014-004 security update, I do not see > shellshock (CVE-2014-6271, CVE-2014-7169) included. > > But for myself, I switched over to MacPorts' installation of bash as well.
Couple points: - `port livecheck bash` indicate we're 2 point releases behind - http://arstechnica.com/security/2014/09/still-more-vulnerabilities-in-bash-shellshock-becomes-whack-a-mole/ suggests that there's no definite fix (yet), and that we'd probably be safer by linking /bin/sh to ash instead of bash - macports' dash is 1 point release behind - how about adding a variant to the bash (and dash) portfiles allowing users to copy the MacPorts version into /bin (moving the original version to something like bash.macportsBackup if that backup doesn't yet exist)? R. _______________________________________________ macports-users mailing list [email protected] https://lists.macosforge.org/mailman/listinfo/macports-users
