From 01a73adbed486e332c504a892edfa29e908fc59d Mon Sep 17 00:00:00 2001 From: Bryan Drewery Date: Fri, 26 Sep 2014 21:42:21 +0000 Subject: Reword bash entry a bit --- UPDATING | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'UPDATING') diff --git a/UPDATING b/UPDATING index c427f18ea154..a8d7c88808fd 100644 --- a/UPDATING +++ b/UPDATING @@ -10,10 +10,11 @@ you update your ports collection, before attempting any port upgrades. AUTHOR: bdrewery@FreeBSD.org Bash supports a feature of exporting functions in the environment with - export -f. Running bash with exported functioned in the environment will - then import those functions into the environment. This resulted in - security issues CVE-2014-6271 and CVE-2014-7169, commonly known as - "shellshock". + export -f. Running bash with exported functions in the environment will + then import those functions into the environment of the script being ran. + This resulted in security issues CVE-2014-6271 and CVE-2014-7169, commonly + known as "shellshock". It also can result in poorly written scripts being + tricked into running arbitrary commands. To fully mitigate against this sort of attack we have applied a non-upstream patch to disable this functionality by default. You can execute bash -- cgit v1.2.3