Reword bash entry a bit

author: Bryan Drewery <bdrewery@FreeBSD.org> 2014-09-26 21:42:21 +0000
committer: Bryan Drewery <bdrewery@FreeBSD.org> 2014-09-26 21:42:21 +0000
commit: 01a73adbed486e332c504a892edfa29e908fc59d (patch)
tree: f6b797210d83e3ea6b6386f47142a89cd73fc394 /UPDATING
parent: 92e9f2e7d5cdabe4f32c28e492f4c25ea4538c4c (diff)
download: ports-01a73adbed486e332c504a892edfa29e908fc59d.tar.gz
ports-01a73adbed486e332c504a892edfa29e908fc59d.zip
1 files changed, 5 insertions, 4 deletions
diff --git a/UPDATING b/UPDATING
index c427f18ea154..a8d7c88808fd 100644
--- a/UPDATING
+++ b/UPDATING
@@ -10,10 +10,11 @@ you update your ports collection, before attempting any port upgrades.
   AUTHOR: bdrewery@FreeBSD.org
 
   Bash supports a feature of exporting functions in the environment with
-  export -f.  Running bash with exported functioned in the environment will
-  then import those functions into the environment.  This resulted in
-  security issues CVE-2014-6271 and CVE-2014-7169, commonly known as
-  "shellshock".
+  export -f.  Running bash with exported functions in the environment will
+  then import those functions into the environment of the script being ran.
+  This resulted in security issues CVE-2014-6271 and CVE-2014-7169, commonly
+  known as "shellshock".  It also can result in poorly written scripts being
+  tricked into running arbitrary commands.  
 
   To fully mitigate against this sort of attack we have applied a non-upstream
   patch to disable this functionality by default.  You can execute bash
author	Bryan Drewery <bdrewery@FreeBSD.org>	2014-09-26 21:42:21 +0000
committer	Bryan Drewery <bdrewery@FreeBSD.org>	2014-09-26 21:42:21 +0000
commit	01a73adbed486e332c504a892edfa29e908fc59d (patch)
tree	f6b797210d83e3ea6b6386f47142a89cd73fc394 /UPDATING
parent	92e9f2e7d5cdabe4f32c28e492f4c25ea4538c4c (diff)
download	ports-01a73adbed486e332c504a892edfa29e908fc59d.tar.gz ports-01a73adbed486e332c504a892edfa29e908fc59d.zip