I’m in a similar situation: Solaris 11 at home, without support contract. My solution was to install OpenCSW’s updated bash (I had OpenCSW in place anyway), move /usr/bin/bash out of the way, and symlink /opt/csw/bin/bash to /usr/bin/bash.
Use a copy instead of a symlink if /opt is a separate filesystem! And remember to undo those changes to /usr/bin _before_ installing a properly packaged update. Until Apple released their fix, I did something similar on my Macs using MacPorts. It’s temporary, and all my publicly accessible web servers etc have access controls anyway; but until a legitimate update comes along, it’s a lot better than nothing. For Solaris 11, I’ll just have to wait for 11.3 to have an official fix without support contract (probably six months or so?). On Oct 1, 2014, at 7:06 PM, Bob Friesenhahn <[email protected]> wrote: > I am not sure who has the ability to build and update OpenIndiana packages, > but it will be really really bad for the future of OpenIndiana if it fails to > supply a fixed version of its bash package. > > This article (including many example exploits) was posted on another list: > > http://www.fireeye.com/blog/technical/2014/09/shellshock-in-the-wild.html > > Known exploits include Web CGI, DHCP client, OpenVPN, ssh, gitweb, and > (possibly) git service. Even if the service is implemented in Perl, Python, > Java, or C, it may still be exploitable if it exports externally-provided > data as environment variables some program it invokes eventually happens to > execute bash. > > While bash is not a "native" shell for OpenIndiana, it is quite heavily used. > It is unfortunate that it is often used as a user login shell so it is > painful to simply move the existing binary to the side. > > Bob > -- > Bob Friesenhahn > [email protected], http://www.simplesystems.org/users/bfriesen/ > GraphicsMagick Maintainer, http://www.GraphicsMagick.org/ > > _______________________________________________ > openindiana-discuss mailing list > [email protected] > http://openindiana.org/mailman/listinfo/openindiana-discuss > _______________________________________________ openindiana-discuss mailing list [email protected] http://openindiana.org/mailman/listinfo/openindiana-discuss
