pkgsrc trunk implemented a workaround yesterday evening which disables the import functions feature by default. Users who wish to continue using this feature will need to explicitly pass --import-functions to the shell to re-enable the feature, after verifying that the script does not lie in an attack path.
In lieu of an official fix for CVE-2014-7169 this seems like a sensible course of action, and so I back-ported the fix to our release branches and a number of them finished overnight, the rest will complete throughout the course of today. The package you are looking for, after running 'pkgin update', is 'bash-4.3.025nb2'. Note that whether or not you use --import-functions, this version fixes CVE-2014-6271 for both cases, and should no longer be vulnerable to that issue. -- Jonathan Perkin - Joyent, Inc. - www.joyent.com ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
