Bash shell bug

As many of you are probably aware, there is a serious security issue that is currently all over the web regarding the GNU bash shell.  We are well aware of the issue, a fix is already in place to plug this security hole, and packages with this fix are currently building. Nothing written by the GhostBSD project uses bash and bash is not built-in to the FreeBSD operating system itself (it is an optional port/package), so the level of severity of this bug is lower on FreeBSD than on other operating systems.

We recommend you to update bash with sudo pkg install -f bash command line.

According to the FreeBSD mailing list: Bryan Drewery has already sent a notice that the port is fixed in FreeBSD. However, since he also added some good recommendations in the email for BASH users, we decided to copy that email here for anyone else that is interested.

From: Bryan Drewery  FreeBSD mailing list

The port is fixed with all known public exploits. The package is
building currently.

However bash still allows the crazy exporting of functions and may still
have other parser bugs. I would recommend for the immediate future not
using bash for forced ssh commands as well as these guidelines:

1. Do not ever link /bin/sh to bash. This is why it is such a big
problem on Linux, as system(3) will run bash by default from CGI.
2. Web/CGI users should have shell of /sbin/nologin.
3. Don’t write CGI in shell script / Stop using CGI :)
4. httpd/CGId should never run as root, nor “apache”. Sandbox each
application into its own user.
5. Custom restrictive shells, like scponly, should not be written in bash.
6. SSH authorized_keys/sshd_config forced commands should also not be
written in bash.

For more information the bug itself you can visit arstechnica and read the article by clicking the link below.

http://​arstechnica​.com/​s​e​c​u​r​i​t​y​/​2​0​1​4​/​0​9​/​b​u​g​-​i​n​-​b​a​s​h​-​s​h​e​l​l​-​c​r​e​a​t​e​s​-​b​i​g​-​s​e​c​u​r​i​t​y​-​h​o​l​e​-​o​n​-​a​n​y​t​h​i​n​g​-​w​i​t​h​-​n​i​x​-​i​n​-​it/

Add new comment