Thank you for explanation! Now I can sleep calmly.
29.09.2014, 13:27, "n j" <[email protected]>: > Hi, > > On Mon, Sep 29, 2014 at 9:55 AM, Patrick Proniewski <[email protected]> > wrote: >> On 29 sept. 2014, at 09:34, Кулешов Алексей <[email protected]> wrote: >>> Right. Okay then, here it is: >>> >>> # pkg remove bash >>> ... change 'bash' to 'sh' in bashcheck ... >>> # sh bashcheck >>> Not vulnerable to CVE-2014-6271 (original shellshock) >>> Not vulnerable to CVE-2014-7169 (taviso bug) >>> Not vulnerable to CVE-2014-7186 (redir_stack bug) >>> Vulnerable to CVE-2014-7187 (nessted loops off by one) >>> Variable function parser inactive, likely safe from unknown parser bugs >>> >>> So, there is no bash on my system anymore, but script says it has one >> vulnerability. >>> Is it actually vulnerability or it's me who must take a good sleep? :) >> This is odd. As far as I know, no one reported sh as being vulnerable to >> CVE-2014-7187. But may be it's only on FreeBSD... I don't have an answer to >> that. > > I'd say the test is not relevant for sh. The line that tests for > CVE-2014-7187 uses {1..200} construct which is not understood by sh. > > E.g. > sh$ for i in {1..5}; do echo -n $i; done > {1..5} > bash$ for i in {1..5}; do echo -n $i; done > 12345 > > Br, > -- > Nino > _______________________________________________ > [email protected] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "[email protected]" _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
