We should all be running zsh anyway… (sorry Boyd, had to get in before you did)
Ben > On 25 Sep 2014, at 6:13 pm, Andrew Watkins <[email protected]> wrote: > > > It will be interesting if Oracle release a bash patch for all Solaris 11 > versions (11, 11.1 and 11.2). > Or will the force everyone to go to Solaris 11.2 SRU latest > > Andrew > > On 25/09/2014 08:21, McGinley, Ian R wrote: >> Log an SR asking for it. >> >> We’ve got one in the system for tracking internal change management purposes. >> >> In the mean time if it’s super dangerous for you, then pkgrm SUNWbash, or at >> least chmod 000 /bin/bash >> >> >> Ian McGinley >> Application Technology >> Consumer and Digital - Online >> 03 8647 2433 >> 0457 724 419 >> >> From: Tony Payne [mailto:[email protected] <mailto:[email protected]>] >> Sent: Thursday, 25 September 2014 11:39 AM >> To: msosug >> Subject: [msosug] bash vulnerability in Solaris?. >> >> Hi All, >> >> I'm sure you've all heard about the bash vulnerability where: >> *"specially-crafted environment variables can be used to inject shell >> commands" unearthed by Stephane Chazelas very recently?. >> >> Many linux flavors have already released patches and according to the >> following test (see in full at: https://access.redhat.com/articles/1200223 >> <https://access.redhat.com/articles/1200223>) Solaris 10 at least appears to >> be vulnerable. >> >> ========================= >> Diagnostic Steps >> To test if your version of Bash is vulnerable to this issue, run the >> following command: >> >> $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" >> If the output of the above command looks as follows: >> >> vulnerable >> this is a test >> you are using a vulnerable version of Bash. The patch used to fix this issue >> ensures that no code is allowed after the end of a Bash function. Thus, if >> you run the above example with the patched version of Bash, you should get >> an output similar to: >> >> $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" >> bash: warning: x: ignoring function definition attempt >> bash: error importing function definition for `x' >> this is a test >> ========================= >> >> >> Does anyone know if there is, or is planned, a patch for Solaris' bash >> implementation?. >> >> >> * >> https://access.redhat.com/security/cve/CVE-2014-6271?sc_cid=70160000000e8eaAAA&; >> >> <https://access.redhat.com/security/cve/CVE-2014-6271?sc_cid=70160000000e8eaAAA&;> >> >> -- >> Cheers, >> Tony. >> \|/ ____ \|/ >> @~/ ,. \~@ >> /_( \__/ )_\ >> +------------------------------\__U_/----------------------------------+ >> >> >> >> _______________________________________________ >> msosug mailing list >> [email protected] <mailto:[email protected]> >> http://mexico.purplecow.org/m/listinfo/msosug >> <http://mexico.purplecow.org/m/listinfo/msosug> > > > -- > Andrew Watkins * Birkbeck, University of London * Computer Science * > * UKOUG Solaris SIG Co-Chair * > http://notallmicrosoft.blogspot.com/ <http://notallmicrosoft.blogspot.com/> > _______________________________________________ > msosug mailing list > [email protected] > http://mexico.purplecow.org/m/listinfo/msosug
_______________________________________________ msosug mailing list [email protected] http://mexico.purplecow.org/m/listinfo/msosug
