So, CVE-2014-6271 (bash SHELL SHOCK) Anyone?
-
FreeRADIUS2 has been updated, should show an update available soon.
Mailscanner will be updated some time tomorrow.
-
Affected packages have been either updated or removed (thanks to garga).
- FreeRADIUS2: Package updated with a patched version of bash
- Mailscanner: Package updated with a patched version of bash
- FreeSWITCH/FreeSWITCH-dev: -dev variant attempted to install bash via pkg_add. Unmaintained, FreeBSD removed it from ports tree. Removed package.
Other packages that had a reference to bash but are not vulnerable:
- Anyterm: Defaulted to attempt to run bash. Unmaintained, package removed.
- git: Used bash during build, but did not include bash in its PBI
- avahi: Used bash during build, but did not include bash in its PBI
- ntopng : Used bash during build, but did not include bash in its PBI
-
- Mailscanner: Package updated with a patched version of bash
I've update the Mailscanner package and it looks like bash has been completely removed from the system instead.
# bash bash: Command not found. # find -f / bash ... find: bash: No such file or directory -
Could anybody please attach a gzipped patched binary here, to optionally replace it manually? Or maybe an URL to download the new .tgz?
-
There is no new tgz. For packages that require it, it is built into their PBI. Not sure why it didn't show up in mailscanner, but feel free to open a ticket in redmine for it if mailscanner is misbehaving because of its absence. It should also be the new FreeRADIUS2 PBI, so if you really want it, install that and copy the binary from there, then you could remove it if you want.
It is highly unlikely we'll make a stand-alone package just for bash.
-
I Installed freeradius2 package on my i386 NanoBSD box, and it didn't pull the bash binary as far as I can see:
/usr/local/bin(11): ls -la | grep bash lrwxr-xr-x 1 root wheel 36 Sep 27 19:31 bashbug -> /usr/pbi/freeradius-i386/bin/bashbug /usr/local/bin(12): bash bash: Command not found.:o
-
I've update the Mailscanner package and it looks like bash has been completely removed from the system instead.
Confirming that bash is missing from Mailscanner too.
-
:o :o :o
Nobody cares?
-
It's being looked at, they're apparently there on 2.2, though if you install one and then the other and remove one, the symlink goes with it.
There was another update to bash that needs put in anyhow, but it's mostly cosmetic (version bump) since the previous + patches has the fix already.
Since bash isn't there (and thus really isn't vulnerable ;D ) it isn't as high a priority, though it'll be fixed soon.
-
Also:
https://isc.sans.edu/forums/diary/Shellshock+We+are+not+done+yet+CVE-2014-6277+CVE-2014-6278/18723
http://www.openwall.com/lists/oss-security/2014/09/25/32 -
-
Thanks.
Tried freeradius2 package by deleting it and installing it again. The patched bash binary is deployed on both i386 and amd64 platforms.
