The -07 version of the solaris 10 Oracle patch is from last monday. Seems
to me it fixes all. But had little time to test it.
On 2 oktober 2014 17:24:00 Alan Coopersmith <[email protected]>
wrote:
On 10/ 2/14 07:20 AM, Bob Friesenhahn wrote:
> On Thu, 2 Oct 2014, Brandon Hume wrote:
>
>> On 26/09/2014 8:47 PM, Gary Gendel wrote:
>>> The current maintainer says it's been in bash for ~20 years, why it's
not in
>>> Solaris 10 is a mystery.
>>
>> It is in Solaris 10. (And 11.) The test being used is flawed:
>>
>> env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
>
> The good news is that if you have a support contract, there is a Solaris
10 bash
> patch which seems to solve all the reported attack vectors (in my own
testing).
> It took Oracle two patches to get things right.
People found more bugs after the first patch went out. There are 6 CVE's for
bash announced in the last week after all.
--
-Alan Coopersmith- [email protected]
Oracle Solaris Engineering - http://blogs.oracle.com/alanc
_______________________________________________
openindiana-discuss mailing list
[email protected]
http://openindiana.org/mailman/listinfo/openindiana-discuss
_______________________________________________
openindiana-discuss mailing list
[email protected]
http://openindiana.org/mailman/listinfo/openindiana-discuss
