On 2014-10-08, Jason Adams <adams...@gmail.com> wrote: > On 09/29/2014 05:00 AM, Peter Hessler wrote: >> You tested bash. All 3 shells are behaving correctly by passing the env >> variable to the bash command you are running. the bash command you are >> running is behaving incorrectly by parsing the variable as a function. > > So the question is, for those of us that have added the bash package, > why is bash still vulnerable after all these weeks, when everyone else has > fixed > their bash packages? > > Just checked for updated pkg, today, and its still vulnerable.
Release packages (e.g. in $mirror/pub/OpenBSD/5.5/packages/amd64) do not get updated after the release is built. (Yes this means 5.6 too - the cut-off point was around early August). There are updates in the 5.5-stable ports tree that you can build yourself (see the faq), or see https://stable.mtier.org/ (third-party).