vertner.net

Apple Releases Bash Patch

Hey! Listen!Hey! Listen!

OS X server admins and Mac tinkerers rejoice! Yesterday, Apple released a Bash patch to deal with the so-called shellshock vulnerability. For some reason, it’s not being pushed out via Software Update, but you can download them from Apple’s Support pages here:

The patches update Bash to version 3.2.53(1). There has been no update for the beta versions of OS X 10.10 Yosemite floating around out there. Presumably, it will be patched before it gets formally released.

Interestingly, running the following:

1
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

… still suggests that the system is vulnerable, while running a different test:

1
env X='(){(a)=>\' bash -c "echo date"; cat echo; rm -f echo

… results in the errors expected from an appropriately patched system. A vulnerable system would display the current date and time. I’m not quite sure why that’s the case, unless the patch isn’t a 100% solution. Both of my Linux systems running 4.3.11(1) and 4.2.37(1) are patched and passing both tests. Regardless, we can hope that this is the last page in the book on this vulnerability.

Comments