Bug #3892
closedCritical bash vulnerability CVE-2014-6271
0%
Description
2.2-beta appears vulnerable:
[root@pfsense ~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test
Updated by Jim Pingle about 10 years ago
- Priority changed from Urgent to Normal
2.2 does not include bash. No base install includes bash. If you added it manually, it came from FreeBSD, or perhaps the FreeRADIUS2 package, but it is not on by default.
We are working on a fix already for the FreeRADIUS2 package but the base is not vulnerable.
Updated by Jim Pingle about 10 years ago
[2.2-ALPHA][admin@apu.localdomain]/root(1): which bash
bash: Command not found.
[2.2-ALPHA][admin@apu.localdomain]/root(2): env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
env: bash: No such file or directory
Updated by Jim Pingle about 10 years ago
Also: The mailscanner package appears to be affected along with FreeRADIUS2
Updated by Jim Pingle about 10 years ago
Update again:
More affected packages, full list is now:
git, avahi, freeradius2, ntopng, mailscanner
Updated by Jim Pingle about 10 years ago
Checking further: git, avahi, and ntopng use bash during the build but do not include it in the PBI for installation.
So only freeradius2 and mailscanner are actually potential vectors. FreeRADIUS2 has been updated to 1.6.8 and now includes a patched version of bash, mailscanner will follow.
Updated by Jim Pingle about 10 years ago
- Project changed from pfSense to pfSense Packages
- Status changed from New to Feedback
Affected packages have been either updated or removed.
- FreeRADIUS2: Package updated with a patched version of bash
- Mailscanner: Package updated with a patched version of bash
- FreeSWITCH/FreeSWITCH-dev: -dev variant attempted to install bash via pkg_add. Unmaintained, FreeBSD removed it from ports tree. Removed package.
Other packages that had a reference to bash but are not vulnerable:
- Anyterm: Defaulted to attempt to run bash. Unmaintained, package removed.
- git: Used bash during build, but did not include bash in its PBI
- avahi: Used bash during build, but did not include bash in its PBI
- ntopng : Used bash during build, but did not include bash in its PBI
Updated by Jim Pingle about 10 years ago
Security Announcement posted:
https://www.pfsense.org/security/advisories/pfSense-SA-14_18.packages.asc
Updated by Chris Buechler about 10 years ago
- Status changed from Feedback to Resolved