Shellshock - "pkg upgrade bash" doesn't update bash to latest 4.3.25

Question

I'm using FreeBSD-9.1-p5.

My security run output:

Checking for packages with security vulnerabilities:
Database fetched: Wed Sep 24 23:01:24 EDT 2014
bash-4.3.24

pkg info bash:

# pkg info bash
bash-4.3.24
Name           : bash
Version        : 4.3.24
Installed on   : Tue Sep 16 17:17:32 EDT 2014
Origin         : shells/bash
Architecture   : freebsd:9:x86:64
Prefix         : /usr/local
Categories     : shells
Licenses       : GPLv3
Maintainer     : ehaupt@FreeBSD.org
WWW            : http://cnswww.cns.cwru.edu/~chet/bash/bashtop.html
Comment        : The GNU Project's Bourne Again SHell
Options        :
   COLONBREAKSWORDS: on
   DOCS           : on
   HELP           : on
   IMPLICITCD     : on
   NLS            : on
   STATIC         : off
   SYSLOG         : off
Shared Libs required:
   libintl.so.9
   libiconv.so.3
Annotations    :
   repo_type      : binary
   repository     : FreeBSD
Flat size      : 6.65MiB
Description    :
This is GNU Bash.  Bash is the GNU Project's Bourne Again SHell,
a complete implementation of the POSIX.2 shell spec, but also
with interactive command line editing, job control on architectures
that support it, csh-like features such as history substitution and
brace expansion, and a slew of other features. 

WWW: http://cnswww.cns.cwru.edu/~chet/bash/bashtop.html
#

pkg upgrade bash:

# pkg upgrade bash 
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
Checking integrity... done (0 conflicting)
Your packages are up to date.
#

I'm using pkg(8) and not /usr/ports. Does it mean maintainer didn't update package, yet security vulnerabilities list is already up to date?

to all downvoters, please use comment section to comment after you downvote! without your feedback I cannot improve myself! — alexus, Sep 26 '14 at 12:41
Most FreeBSD users still don't use pkg, therefore it's treated as a secondary service. You can see an example of that second-class service here, as 4.3.25 still isn't available. Even when the package is released, it's still not clear what sort of testing is done on updated packages, so installing a fresh package is a bit risky and runs the risk of regressions. Bash is 'tested' after release due to the fact that it's widely used, so it's important to check the forums & mailinglists before installing any FreeBSD package/port. — Stefan Lasiewski, Sep 26 '14 at 16:17
The downvoters were simply voting to move this to unix.stackexchange.org . — Stefan Lasiewski, Sep 29 '14 at 19:46

score 2 · Accepted Answer · answered Sep 29 '14 at 15:14

looks like update is out)

[alexus@alexus ~]$ sudo pkg upgrade bash   
Password:
Updating FreeBSD repository catalogue...
[alexus.org] Fetching meta.txz: 100%   968 B   1.0k/s    00:01    
[alexus.org] Fetching digests.txz: 100%    2 MB   2.0M/s    00:01    
[alexus.org] Fetching packagesite.txz: 100%    5 MB   5.3M/s    00:01    
Removing expired repository entries: 100%
Processing new repository entries: 100%
FreeBSD repository update completed. 23417 packages processed:
  9022 updated, 63 removed and 155 added.
New version of pkg detected; it needs to be installed first.
The following 1 packages will be affected (of 0 checked):

Installed packages to be UPGRADED:
    pkg: 1.3.7 -> 1.3.8_1

The process will require 31 kB more space.
2 MB to be downloaded.

Proceed with this action? [y/N]: y
[alexus.org] Fetching pkg-1.3.8_1.txz: 100%    2 MB   2.0M/s    00:01    
Checking integrity... done (0 conflicting)
[alexus.org] [1/1] Upgrading pkg from 1.3.7 to 1.3.8_1: 100%
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
The following 1 packages will be affected (of 0 checked):

Installed packages to be UPGRADED:
    bash: 4.3.24 -> 4.3.25_1

The operation will free 64 B.
1 MB to be downloaded.

Proceed with this action? [y/N]: y
[alexus.org] Fetching bash-4.3.25_1.txz: 100%    1 MB   1.2M/s    00:01    
Checking integrity... done (0 conflicting)
[alexus.org] [1/1] Upgrading bash from 4.3.24 to 4.3.25_1: 100%
[alexus@alexus ~]$

score 1 · Answer 2 · answered Sep 26 '14 at 09:47

1

I had to upgrade bash manually from ports.

First, I made sure ports was up-to-date:

portsnap fetch update

Then, I upgraded pkg:

cd /usr/ports/ports-mgmt/pkg
make BATCH=yes build
make BATCH=yes deinstall
make BATCH=yes reinstall

Then I upgraded bash:

cd /usr/ports/shells/bash
make BATCH=yes build
make BATCH=yes deinstall
make BATCH=yes reinstall

My version of bash is now up-to-date:

# bash --version
GNU bash, version 4.3.25(1)-release (i386-portbld-freebsd9.3)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
...

The word vulnerable does not show up in this test below:

# env x='() { :;}; echo vulnerable' bash -c "echo hello"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello

answered Sep 26 '14 at 09:47

micah94

111
1

thanks for that, I'm using `pkg` not `/usr/ports`, so unfortunately this isn't useful for me, but I'm sure it's useful for someone else) so on their behalf thank you!) – alexus Sep 26 '14 at 12:42
Shellshock was announced over 72 hours ago and FreeBSD still hasn't released a binary update. The only reasonable solution is to build Bash from ports, uninstall bash (or `mv bash bash.old` temporarily). Bash has quite the list of build dependencies, so this can be a challenge to anyone who doesn't build ports regularly. – Stefan Lasiewski Sep 27 '14 at 17:10
1

You can use Ports to build packages, which you can then distribute to other hosts. If you have many servers, consider the `poudriere` build system https://www.freebsd.org/doc/handbook/ports-poudriere.html – Stefan Lasiewski Sep 27 '14 at 17:15

Shellshock - "pkg upgrade bash" doesn't update bash to latest 4.3.25

2 Answers2