#45162: Bash still vulnerable -----------------------+-------------------------------- Reporter: kost.hc@… | Owner: macports-tickets@… Type: defect | Status: new Priority: High | Milestone: Component: ports | Version: 2.3.1 Keywords: | Port: bash -----------------------+-------------------------------- Bash is still vulnerable to the shellshock bash: {{{ $ sudo port selfupdate Password: ---> Updating MacPorts base sources using rsync MacPorts base version 2.3.1 installed, MacPorts base version 2.3.1 downloaded. ---> Updating the ports tree ---> MacPorts base is already the latest version The ports tree has been updated. To upgrade your installed ports, you should run port upgrade outdated }}} {{{ $ sudo port install bash ---> Computing dependencies for bash ---> Cleaning bash ---> Scanning binaries for linking errors ---> No broken files found. }}} {{{ $ bash --version GNU bash, version 4.3.25(1)-release (x86_64-apple-darwin13.2.0) Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software; you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. }}} It is not vulnerable to this: {{{ $ env X="() { :;} ; echo busted" /bin/sh -c "echo stuff" /bin/sh: warning: X: ignoring function definition attempt /bin/sh: error importing function definition for `X' stuff }}} But still vulnerable to this: {{{ $ env X='() { (a)=>\' sh -c "echo date"; cat echo sh: X: line 1: syntax error near unexpected token `=' sh: X: line 1: `' sh: error importing function definition for `X' Fri Sep 26 00:48:31 CEST 2014 }}} If you need more info, check this URL: http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html -- Ticket URL: <https://trac.macports.org/ticket/45162> MacPorts <http://www.macports.org/> Ports system for OS X