I am not sure who has the ability to build and update OpenIndiana
packages, but it will be really really bad for the future of
OpenIndiana if it fails to supply a fixed version of its bash package.
This article (including many example exploits) was posted on another
list:
http://www.fireeye.com/blog/technical/2014/09/shellshock-in-the-wild.html
Known exploits include Web CGI, DHCP client, OpenVPN, ssh, gitweb, and
(possibly) git service. Even if the service is implemented in Perl,
Python, Java, or C, it may still be exploitable if it exports
externally-provided data as environment variables some program it
invokes eventually happens to execute bash.
While bash is not a "native" shell for OpenIndiana, it is quite
heavily used. It is unfortunate that it is often used as a user login
shell so it is painful to simply move the existing binary to the side.
Bob
--
Bob Friesenhahn
bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
_______________________________________________
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
