anti-shellshock suggestions
René J.V. Bertin
rjvbertin at gmail.com
Mon Sep 29 01:53:21 PDT 2014
On Friday September 26 2014 06:51:01 Nathan Brazil wrote:
> Looking through the details for the 2014-004 security update, I do not see shellshock (CVE-2014-6271, CVE-2014-7169) included.
>
> But for myself, I switched over to MacPorts' installation of bash as well.
Couple points:
- `port livecheck bash` indicate we're 2 point releases behind
- http://arstechnica.com/security/2014/09/still-more-vulnerabilities-in-bash-shellshock-becomes-whack-a-mole/ suggests that there's no definite fix (yet), and that we'd probably be safer by linking /bin/sh to ash instead of bash
- macports' dash is 1 point release behind
- how about adding a variant to the bash (and dash) portfiles allowing users to copy the MacPorts version into /bin (moving the original version to something like bash.macportsBackup if that backup doesn't yet exist)?
R.
More information about the macports-users
mailing list