The current maintainer says it's been in bash for ~20 years, why it's
not in Solaris 10 is a mystery.
On 9/26/14, 7:41 PM, Nemo wrote:
On 26 September 2014 17:02, Harry Putnam <rea...@newsguy.com> wrote:
Gary Gendel <g...@genashor.com> writes:
I believe we mostly skirt the issue because, unlike Linux, the default
shell (/bin/sh) is ksh93 not bash. This means that under normal
conditions we shouldn't have an issue. Only if your cgi scripts
actually request bash will apache be a problem. As for ssh, it
depends upon the login shell for the user.
So, do you mean that ksh93 does not have the vulnerability?
Whence does the OI bash source originate? On the bash that comes with
Solaris 10,
the vulnerability is not present:
[~]=> bash --version
GNU bash, version 3.00.16(1)-release (sparc-sun-solaris2.10)
Copyright (C) 2004 Free Software Foundation, Inc.
[~]=> env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
completed
N.
_______________________________________________
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
_______________________________________________
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
