It will be interesting if Oracle release a bash patch for all Solaris 11
versions (11, 11.1 and 11.2).
Or will the force everyone to go to Solaris 11.2 SRU latest
Andrew
On 25/09/2014 08:21, McGinley, Ian R wrote:
Log an SR asking for it.
We’ve got one in the system for tracking internal change management
purposes.
In the mean time if it’s super dangerous for you, then pkgrm SUNWbash,
or at least chmod 000 /bin/bash
Ian McGinley
Application Technology
Consumer and Digital - Online
03 8647 2433
0457 724 419
*From:*Tony Payne [mailto:[email protected]]
*Sent:* Thursday, 25 September 2014 11:39 AM
*To:* msosug
*Subject:* [msosug] bash vulnerability in Solaris?.
Hi All,
I'm sure you've all heard about the bash vulnerability where:
*"specially-crafted environment variables can be used to inject shell
commands" unearthed by Stephane Chazelas very recently?.
Many linux flavors have already released patches and according to the
following test (see in full at:
https://access.redhat.com/articles/1200223) Solaris 10 at least
appears to be vulnerable.
=========================
Diagnostic Steps
To test if your version of Bash is vulnerable to this issue, run the
following command:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If the output of the above command looks as follows:
vulnerable
this is a test
you are using a vulnerable version of Bash. The patch used to fix this
issue ensures that no code is allowed after the end of a Bash
function. Thus, if you run the above example with the patched version
of Bash, you should get an output similar to:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
=========================
Does anyone know if there is, or is planned, a patch for Solaris' bash
implementation?.
*
https://access.redhat.com/security/cve/CVE-2014-6271?sc_cid=70160000000e8eaAAA&;
--
Cheers,
Tony.
\|/ ____ \|/
@~/ ,. \~@
/_( \__/ )_\
+------------------------------\__U_/----------------------------------+
_______________________________________________
msosug mailing list
[email protected]
http://mexico.purplecow.org/m/listinfo/msosug
--
Andrew Watkins * Birkbeck, University of London * Computer Science *
* UKOUG Solaris SIG Co-Chair *
http://notallmicrosoft.blogspot.com/
_______________________________________________
msosug mailing list
[email protected]
http://mexico.purplecow.org/m/listinfo/msosug
