On Thu, Oct 02, 2014 at 07:22:57AM +1000 John Mann said: > On 2 October 2014 00:22, Douglas Ray <[email protected]> wrote: > > > ... > > The only system with a real compromise was OS-X, the /bin/sh being a > > bash. > > > Apple have released an updated version of bash > http://support.apple.com/kb/HT1222 > http://support.apple.com/kb/HT6495 > http://support.apple.com/kb/DL1769 ... > > But: > a) only first 2 CVEs are fixed. > > $ bash --version > GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13) > Copyright (C) 2007 Free Software Foundation, Inc. > > $ env '__BASH_FUNC<ls>()'="() { echo Game Over; }" /bin/sh -c ls > Game Over > > b) the security fix is not pushed to all Macs by default.
Fixes for older versions of OS X are available here: http://tenfourfox.blogspot.com.au/2014/09/bashing-bash-one-more-time-updated.html Sam _______________________________________________ luv-main mailing list [email protected] http://lists.luv.asn.au/listinfo/luv-main
