Project

General

Profile

Actions
Copy link

Bug #3892

closed

Critical bash vulnerability CVE-2014-6271

Added by Steve Thomas over 9 years ago. Updated over 9 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
09/25/2014
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

2.2-beta appears vulnerable:

[root@pfsense ~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test" 
vulnerable
this is a test
Actions
Copy link
 #1

Updated by Jim Pingle over 9 years ago

  • Priority changed from Urgent to Normal

2.2 does not include bash. No base install includes bash. If you added it manually, it came from FreeBSD, or perhaps the FreeRADIUS2 package, but it is not on by default.

We are working on a fix already for the FreeRADIUS2 package but the base is not vulnerable.

Actions
Copy link
 #2

Updated by Jim Pingle over 9 years ago

[2.2-ALPHA][]/root(1): which bash
bash: Command not found.
[2.2-ALPHA][]/root(2): env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
env: bash: No such file or directory

Actions
Copy link
 #3

Updated by Jim Pingle over 9 years ago

Also: The mailscanner package appears to be affected along with FreeRADIUS2

Actions
Copy link
 #4

Updated by Jim Pingle over 9 years ago

Update again:

More affected packages, full list is now:
git, avahi, freeradius2, ntopng, mailscanner

Actions
Copy link
 #5

Updated by Jim Pingle over 9 years ago

Checking further: git, avahi, and ntopng use bash during the build but do not include it in the PBI for installation.

So only freeradius2 and mailscanner are actually potential vectors. FreeRADIUS2 has been updated to 1.6.8 and now includes a patched version of bash, mailscanner will follow.

Actions
Copy link
 #6

Updated by Jim Pingle over 9 years ago

  • Project changed from pfSense to pfSense Packages
  • Status changed from New to Feedback

Affected packages have been either updated or removed.

  • FreeRADIUS2: Package updated with a patched version of bash
  • Mailscanner: Package updated with a patched version of bash
  • FreeSWITCH/FreeSWITCH-dev: -dev variant attempted to install bash via pkg_add. Unmaintained, FreeBSD removed it from ports tree. Removed package.

Other packages that had a reference to bash but are not vulnerable:

  • Anyterm: Defaulted to attempt to run bash. Unmaintained, package removed.
  • git: Used bash during build, but did not include bash in its PBI
  • avahi: Used bash during build, but did not include bash in its PBI
  • ntopng : Used bash during build, but did not include bash in its PBI
Actions
Copy link
 #8

Updated by Chris Buechler over 9 years ago

  • Status changed from Feedback to Resolved
Actions
Copy link

Also available in: Atom PDF