Log an SR asking for it. We’ve got one in the system for tracking internal change management purposes.
In the mean time if it’s super dangerous for you, then pkgrm SUNWbash, or at least chmod 000 /bin/bash Ian McGinley Application Technology Consumer and Digital - Online 03 8647 2433 0457 724 419 From: Tony Payne [mailto:[email protected]] Sent: Thursday, 25 September 2014 11:39 AM To: msosug Subject: [msosug] bash vulnerability in Solaris?. Hi All, I'm sure you've all heard about the bash vulnerability where: *"specially-crafted environment variables can be used to inject shell commands" unearthed by Stephane Chazelas very recently?. Many linux flavors have already released patches and according to the following test (see in full at: https://access.redhat.com/articles/1200223) Solaris 10 at least appears to be vulnerable. ========================= Diagnostic Steps To test if your version of Bash is vulnerable to this issue, run the following command: $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" If the output of the above command looks as follows: vulnerable this is a test you are using a vulnerable version of Bash. The patch used to fix this issue ensures that no code is allowed after the end of a Bash function. Thus, if you run the above example with the patched version of Bash, you should get an output similar to: $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test ========================= Does anyone know if there is, or is planned, a patch for Solaris' bash implementation?. * https://access.redhat.com/security/cve/CVE-2014-6271?sc_cid=70160000000e8eaAAA&; -- Cheers, Tony. \|/ ____ \|/ @~/ ,. \~@ /_( \__/ )_\ +------------------------------\__U_/----------------------------------+
_______________________________________________ msosug mailing list [email protected] http://mexico.purplecow.org/m/listinfo/msosug
