And use this as an excuse to murder those old CGI shell scripts and stop using bash for application users that don't need it.
On 25 September 2014 5:21:41 PM AEST, "McGinley, Ian R" <[email protected]> wrote: >Log an SR asking for it. > >We’ve got one in the system for tracking internal change management >purposes. > >In the mean time if it’s super dangerous for you, then pkgrm SUNWbash, >or at least chmod 000 /bin/bash > > >Ian McGinley >Application Technology >Consumer and Digital - Online >03 8647 2433 >0457 724 419 > >From: Tony Payne [mailto:[email protected]] >Sent: Thursday, 25 September 2014 11:39 AM >To: msosug >Subject: [msosug] bash vulnerability in Solaris?. > >Hi All, > >I'm sure you've all heard about the bash vulnerability where: >*"specially-crafted environment variables can be used to inject shell >commands" unearthed by Stephane Chazelas very recently?. > >Many linux flavors have already released patches and according to the >following test (see in full at: >https://access.redhat.com/articles/1200223) Solaris 10 at least appears >to be vulnerable. > >========================= >Diagnostic Steps > >To test if your version of Bash is vulnerable to this issue, run the >following command: > >$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" > >If the output of the above command looks as follows: > >vulnerable > >this is a test > >you are using a vulnerable version of Bash. The patch used to fix this >issue ensures that no code is allowed after the end of a Bash function. >Thus, if you run the above example with the patched version of Bash, >you should get an output similar to: > >$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" > >bash: warning: x: ignoring function definition attempt > >bash: error importing function definition for `x' > >this is a test >========================= > > >Does anyone know if there is, or is planned, a patch for Solaris' bash >implementation?. > > >* >https://access.redhat.com/security/cve/CVE-2014-6271?sc_cid=70160000000e8eaAAA&; > >-- >Cheers, > >Tony. > \|/ ____ \|/ > @~/ ,. \~@ > /_( \__/ )_\ >+------------------------------\__U_/----------------------------------+ > > >------------------------------------------------------------------------ > >_______________________________________________ >msosug mailing list >[email protected] >http://mexico.purplecow.org/m/listinfo/msosug -- Andre van Eyssen Mobile email - please excuse terse text.
_______________________________________________ msosug mailing list [email protected] http://mexico.purplecow.org/m/listinfo/msosug
