Bug #3892
closed
Critical bash vulnerability CVE-2014-6271
Added by Steve Thomas about 10 years ago.
Updated almost 10 years ago.
Description
2.2-beta appears vulnerable:
[root@pfsense ~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
- Priority changed from Urgent to Normal
2.2 does not include bash. No base install includes bash. If you added it manually, it came from FreeBSD, or perhaps the FreeRADIUS2 package, but it is not on by default.
We are working on a fix already for the FreeRADIUS2 package but the base is not vulnerable.
[2.2-ALPHA][admin@apu.localdomain]/root(1): which bash
bash: Command not found.
[2.2-ALPHA][admin@apu.localdomain]/root(2): env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
env: bash: No such file or directory
Also: The mailscanner package appears to be affected along with FreeRADIUS2
Update again:
More affected packages, full list is now:
git, avahi, freeradius2, ntopng, mailscanner
Checking further: git, avahi, and ntopng use bash during the build but do not include it in the PBI for installation.
So only freeradius2 and mailscanner are actually potential vectors. FreeRADIUS2 has been updated to 1.6.8 and now includes a patched version of bash, mailscanner will follow.
- Project changed from pfSense to pfSense Packages
- Status changed from New to Feedback
Affected packages have been either updated or removed.
- FreeRADIUS2: Package updated with a patched version of bash
- Mailscanner: Package updated with a patched version of bash
- FreeSWITCH/FreeSWITCH-dev: -dev variant attempted to install bash via pkg_add. Unmaintained, FreeBSD removed it from ports tree. Removed package.
Other packages that had a reference to bash but are not vulnerable:
- Anyterm: Defaulted to attempt to run bash. Unmaintained, package removed.
- git: Used bash during build, but did not include bash in its PBI
- avahi: Used bash during build, but did not include bash in its PBI
- ntopng : Used bash during build, but did not include bash in its PBI
- Status changed from Feedback to Resolved
Also available in: Atom
PDF
Updated by 
Updated by