Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Yet To Push Patch For "Shellshock" Bug

Posted by timothy on from the everyone-has-their-reasons dept.

An anonymous reader writes "Open source operating systems vulnerable to the Shellshock bug have already pushed two patches to fix the vulnerability, but Apple has yet to issue one for Mac OS X. Ars Technica speculates that licensing issues may be giving Apple pause: "[T]he current [bash] version is released under the GNU Public License version 3 (GPLv3). Apple has avoided bundling GPLv3-licensed software because of its stricter license terms....Apple executives may feel they have to have their own developers make modifications to the bash code."" It's also worth noting that there are still flaws with the patches issued so far. Meanwhile, Fedora Magazine has published an easy-to-follow description of how Shellshock actually works. The Free Software Foundation has also issued a statement about Shellshock.

5 of 208 comments (clear)

  1. Stackexchange has discussion on patching yourself by evandyke · · Score: 5, Informative

    Stackexchange has a link for anyone who wants to patch their own servers... I've been following it here: http://apple.stackexchange.com... I doubt we'll see a patch from apple until the community agrees that they have a working patch... sounds like they keep going down the rabbit hole right now; keep finding more issues. I upgraded my Lion Server with the current "official" patches, and also the "no function import" change. Better safe...

  2. Re:Issue with FSF statement... by lippydude · · Score: 5, Informative

    @Richard_at_work: "I'd be interested to hear why the down modder thinks my points above are trolling"

    Specifically what in your opinion is inaccurate about the following statement.

    'Everyone using Bash has the freedom to download, inspect, and modify the code -- unlike with Microsoft, Apple, or other proprietary software.'

    Microsoft contributes to certain open source projects while at the same time extorting revenue from Android handset makers under threats of litigation. As such its support of openness is suspect.

  3. Re:Bash a bad fit for osx by Anonymous Coward · · Score: 5, Informative

    Initial versions of OS X did come with zsh instead of bash, they only switched later (but before there was any talk of the GPLv3). They reason they switched was for compatibility, as many packages expect /bin/sh to be bash (yes, they're technically broken, but that doesn't help end users that want to use/compile them).

  4. Forget Apple engineers, use NetBSD's patch by Anonymous Coward · · Score: 5, Informative

    The smartest thing to do right now is to not expose a buggy 25-year-old parser to any random person on the internet. Just disable function importing from the environment by default and put it behind a flag.

    Here is a BSD-licensed patch for it: http://seclists.org/oss-sec/20...

    You're welcome.

  5. Re:Ars Technica speculates? by kthreadd · · Score: 5, Informative

    What are you talking about? It is completely factual and a valid point. Apple currently bundles 3.2.51, which is licensed under GPLv2. The patched version of bash is the new 4.3.25, which is licensed using GPLv3. Including it would change the license they are using, which I imagine takes some consideration.

    Here are patches for Bash 3.2:

    https://ftp.gnu.org/gnu/bash/b...
    https://ftp.gnu.org/gnu/bash/b...