web-dev-qa-db-ja.com

Shellshock-「pkgupgradebash」は、bashを最新の4.3.25に更新しません

_FreeBSD-9.1-p5_を使用しています。

私の_security run output_:

_Checking for packages with security vulnerabilities:
Database fetched: Wed Sep 24 23:01:24 EDT 2014
bash-4.3.24
_

_pkg info bash_:

_# pkg info bash
bash-4.3.24
Name           : bash
Version        : 4.3.24
Installed on   : Tue Sep 16 17:17:32 EDT 2014
Origin         : shells/bash
Architecture   : freebsd:9:x86:64
Prefix         : /usr/local
Categories     : shells
Licenses       : GPLv3
Maintainer     : [email protected]
WWW            : http://cnswww.cns.cwru.edu/~chet/bash/bashtop.html
Comment        : The GNU Project's Bourne Again Shell
Options        :
   COLONBREAKSWORDS: on
   DOCS           : on
   HELP           : on
   IMPLICITCD     : on
   NLS            : on
   STATIC         : off
   SYSLOG         : off
Shared Libs required:
   libintl.so.9
   libiconv.so.3
Annotations    :
   repo_type      : binary
   repository     : FreeBSD
Flat size      : 6.65MiB
Description    :
This is GNU Bash.  Bash is the GNU Project's Bourne Again Shell,
a complete implementation of the POSIX.2 Shell spec, but also
with interactive command line editing, job control on architectures
that support it, csh-like features such as history substitution and
brace expansion, and a slew of other features. 

WWW: http://cnswww.cns.cwru.edu/~chet/bash/bashtop.html
#
_

_pkg upgrade bash_:

_# pkg upgrade bash 
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
Checking integrity... done (0 conflicting)
Your packages are up to date.
#
_

_/usr/ports_ではなくpkg(8)を使用しています。メンテナがパッケージを更新しなかったのに、セキュリティの脆弱性リストがすでに最新になっているということですか?

4
alexus

アップデートが出ているようです)

[alexus@alexus ~]$ Sudo pkg upgrade bash   
Password:
Updating FreeBSD repository catalogue...
[alexus.org] Fetching meta.txz: 100%   968 B   1.0k/s    00:01    
[alexus.org] Fetching digests.txz: 100%    2 MB   2.0M/s    00:01    
[alexus.org] Fetching packagesite.txz: 100%    5 MB   5.3M/s    00:01    
Removing expired repository entries: 100%
Processing new repository entries: 100%
FreeBSD repository update completed. 23417 packages processed:
  9022 updated, 63 removed and 155 added.
New version of pkg detected; it needs to be installed first.
The following 1 packages will be affected (of 0 checked):

Installed packages to be UPGRADED:
    pkg: 1.3.7 -> 1.3.8_1

The process will require 31 kB more space.
2 MB to be downloaded.

Proceed with this action? [y/N]: y
[alexus.org] Fetching pkg-1.3.8_1.txz: 100%    2 MB   2.0M/s    00:01    
Checking integrity... done (0 conflicting)
[alexus.org] [1/1] Upgrading pkg from 1.3.7 to 1.3.8_1: 100%
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
The following 1 packages will be affected (of 0 checked):

Installed packages to be UPGRADED:
    bash: 4.3.24 -> 4.3.25_1

The operation will free 64 B.
1 MB to be downloaded.

Proceed with this action? [y/N]: y
[alexus.org] Fetching bash-4.3.25_1.txz: 100%    1 MB   1.2M/s    00:01    
Checking integrity... done (0 conflicting)
[alexus.org] [1/1] Upgrading bash from 4.3.24 to 4.3.25_1: 100%
[alexus@alexus ~]$ 
2
alexus

ポートから手動でbashをアップグレードする必要がありました。

まず、ポートが最新であることを確認しました。

portsnap fetch update

次に、pkgをアップグレードしました。

cd /usr/ports/ports-mgmt/pkg
make BATCH=yes build
make BATCH=yes deinstall
make BATCH=yes reinstall

次に、bashをアップグレードしました。

cd /usr/ports/shells/bash
make BATCH=yes build
make BATCH=yes deinstall
make BATCH=yes reinstall

私のバージョンのbashは最新です:

# bash --version
GNU bash, version 4.3.25(1)-release (i386-portbld-freebsd9.3)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
...

単語vulnerableは、以下のこのテストには表示されません。

# env x='() { :;}; echo vulnerable' bash -c "echo hello"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello
1
micah94