On 10/ 2/14 07:20 AM, Bob Friesenhahn wrote:
On Thu, 2 Oct 2014, Brandon Hume wrote:
On 26/09/2014 8:47 PM, Gary Gendel wrote:
The current maintainer says it's been in bash for ~20 years, why it's not in
Solaris 10 is a mystery.
It is in Solaris 10. (And 11.) The test being used is flawed:
env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
The good news is that if you have a support contract, there is a Solaris 10 bash
patch which seems to solve all the reported attack vectors (in my own testing).
It took Oracle two patches to get things right.
People found more bugs after the first patch went out. There are 6 CVE's for
bash announced in the last week after all.
--
-Alan Coopersmith- alan.coopersm...@oracle.com
Oracle Solaris Engineering - http://blogs.oracle.com/alanc
_______________________________________________
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
