Project

General

Profile

Actions

Bug #3892

closed

Critical bash vulnerability CVE-2014-6271

Added by Steve Thomas about 10 years ago. Updated about 10 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
09/25/2014
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

2.2-beta appears vulnerable:

[root@pfsense ~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test" 
vulnerable
this is a test
Actions #1

Updated by Jim Pingle about 10 years ago

  • Priority changed from Urgent to Normal

2.2 does not include bash. No base install includes bash. If you added it manually, it came from FreeBSD, or perhaps the FreeRADIUS2 package, but it is not on by default.

We are working on a fix already for the FreeRADIUS2 package but the base is not vulnerable.

Actions #2

Updated by Jim Pingle about 10 years ago

[2.2-ALPHA][]/root(1): which bash
bash: Command not found.
[2.2-ALPHA][]/root(2): env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
env: bash: No such file or directory

Actions #3

Updated by Jim Pingle about 10 years ago

Also: The mailscanner package appears to be affected along with FreeRADIUS2

Actions #4

Updated by Jim Pingle about 10 years ago

Update again:

More affected packages, full list is now:
git, avahi, freeradius2, ntopng, mailscanner

Actions #5

Updated by Jim Pingle about 10 years ago

Checking further: git, avahi, and ntopng use bash during the build but do not include it in the PBI for installation.

So only freeradius2 and mailscanner are actually potential vectors. FreeRADIUS2 has been updated to 1.6.8 and now includes a patched version of bash, mailscanner will follow.

Actions #6

Updated by Jim Pingle about 10 years ago

  • Project changed from pfSense to pfSense Packages
  • Status changed from New to Feedback

Affected packages have been either updated or removed.

  • FreeRADIUS2: Package updated with a patched version of bash
  • Mailscanner: Package updated with a patched version of bash
  • FreeSWITCH/FreeSWITCH-dev: -dev variant attempted to install bash via pkg_add. Unmaintained, FreeBSD removed it from ports tree. Removed package.

Other packages that had a reference to bash but are not vulnerable:

  • Anyterm: Defaulted to attempt to run bash. Unmaintained, package removed.
  • git: Used bash during build, but did not include bash in its PBI
  • avahi: Used bash during build, but did not include bash in its PBI
  • ntopng : Used bash during build, but did not include bash in its PBI
Actions #8

Updated by Chris Buechler about 10 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF