On 9/29/2014 11:01 AM, Mike Tancsa wrote: > On 9/26/2014 5:01 PM, Bryan Drewery wrote: >> On 9/26/2014 12:41 PM, Bryan Drewery wrote: >>> On 9/26/2014 11:51 AM, Bryan Drewery wrote: >>>> On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: >>>>> Apparently, the full fix is still not delivered, accordingly to this: >>>>> http://seclists.org/oss-sec/2014/q3/741 >>>>> >>>>> Kind regards, >>>>> Bartek Rutkowski >>>>> >>>> >>>> I'm pretty sure they call that a "feature". This is a bit different. >> >> I've disabled environment function importing in the port. Using >> --import-functions will allow it to work if you need it. > > Hi Bryan, > With the latest ports, bashcheck still sees some issues with bash. > Are these false positives on FreeBSD ? > > Using > https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck > > Not vulnerable to CVE-2014-6271 (original shellshock) > Not vulnerable to CVE-2014-7169 (taviso bug) > ./bashcheck: line 18: 54908 Segmentation fault (core dumped) bash > -c "true $(printf '<<EOF %.0s' {1..79})" 2> /dev/null > Vulnerable to CVE-2014-7186 (redir_stack bug) > Test for CVE-2014-7187 not reliable without address sanitizer > Variable function parser inactive, likely safe from unknown parser bugs > > ---Mike
Yes we have not applied the RedHat fix for CVE-2014-7186 or CVE-2014-7187. -- Regards, Bryan Drewery
signature.asc
Description: OpenPGP digital signature
