I hereby declare the bash ShellShock bug(s) worthy of mention. Yes, bash is just a port in FreeBSD, but: Hundreds of other ports (including network accessible ports) seem to depend on shells/bash. (Figuring out if they use it in a vulnerable way or not is left as an exercise for the reader.) Custom/third party apps might also be using bash. Some users perfer to chsh -s bash. [> Insert your favourite reason to patch here <] References to the ShellShock bug(s): http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 ^ Seems to be patched in ports, bash >= 4.3.25. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 ^ Patch does not yet exist? Here's a little copy-and-paste exercise for verifying CVE-2014-6271 vulnerability: env var='() { ignore this;}; echo vulnerable' bash -c /usr/bin/true -- Erik _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"