On 26 September 2014 17:02, Harry Putnam <[email protected]> wrote:
> Gary Gendel <[email protected]> writes:
>
>> I believe we mostly skirt the issue because, unlike Linux, the default
>> shell (/bin/sh) is ksh93 not bash. This means that under normal
>> conditions we shouldn't have an issue. Only if your cgi scripts
>> actually request bash will apache be a problem. As for ssh, it
>> depends upon the login shell for the user.
>
> So, do you mean that ksh93 does not have the vulnerability?
Whence does the OI bash source originate? On the bash that comes with
Solaris 10,
the vulnerability is not present:
[~]=> bash --version
GNU bash, version 3.00.16(1)-release (sparc-sun-solaris2.10)
Copyright (C) 2004 Free Software Foundation, Inc.
[~]=> env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
completed
N.
_______________________________________________
openindiana-discuss mailing list
[email protected]
http://openindiana.org/mailman/listinfo/openindiana-discuss
