Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Yet To Push Patch For "Shellshock" Bug

Posted by timothy on from the everyone-has-their-reasons dept.

An anonymous reader writes "Open source operating systems vulnerable to the Shellshock bug have already pushed two patches to fix the vulnerability, but Apple has yet to issue one for Mac OS X. Ars Technica speculates that licensing issues may be giving Apple pause: "[T]he current [bash] version is released under the GNU Public License version 3 (GPLv3). Apple has avoided bundling GPLv3-licensed software because of its stricter license terms....Apple executives may feel they have to have their own developers make modifications to the bash code."" It's also worth noting that there are still flaws with the patches issued so far. Meanwhile, Fedora Magazine has published an easy-to-follow description of how Shellshock actually works. The Free Software Foundation has also issued a statement about Shellshock.

13 of 208 comments (clear)

  1. Stallman would be proud by Anonymous Coward · · Score: 4, Insightful

    the gpl is doing its job of preventing commercial software from benefiting from it.

    1. Re: Stallman would be proud by frikken+lazerz · · Score: 3, Insightful

      Stallman is batshit insane though, and doesn't even come close to representing the average FOSS user. That would be like thinking all liberals are like Michael Moore or all conservatives are like Rush Limbaugh. The average FOSS advocate just wants his software to work. He prefers FOSS because it is more secure and has the user's interests in mind, unlike software like iTunes that tries to sell users stuff or Chrome that tracks you and sells your data to the highest bidder. The average FOSS user doesn't care if there are binary blobs and doesn't mind using Adobe's Flash because it's way better than any of the open alternatives. This is also the reason Ubuntu and Mint are so popular, not GNUSense or whatever other totally free alternative he recommends. Tl;dr, Stallman shouldn't and represent the FOSS community, and although his ideas might be good in principle, the average user just wants his software to work on par or better than what he used to use on Windows.

    2. Re:Stallman would be proud by marcello_dl · · Score: 5, Insightful

      Moron: Yeah I wanna redistribute your software but not abide to the license it comes with it, because it's not freedom enough! I mean, give my source modification to everybody who asks? Avoid patenting and so effectively closing up the work you intended for the world? Why should I do that?

      Dev: how about you write your own damn code and license it as you please? And I suppose you are perfecly fine when your own licenses are being ignored?
       

      --
      ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
  2. Issue with FSF statement... by Richard_at_work · · Score: 1, Insightful

    Everyone using Bash has the freedom to download, inspect, and modify the code -- unlike with Microsoft, Apple, or other proprietary software.

    This comes across as scaremongering, as its a blanket statement professing the openness of bash compared specifically to Microsoft and Apple, while both those companies have huge collections of open source projects where I can do just what they are trumpeting with Bash and the GPL.

    Its a perfect example of why blanket statements should be studied very carefully before being used, as it can just distort your perceived stance when people call you on the flaws of your statement.

    1. Re:Issue with FSF statement... by _merlin · · Score: 1, Insightful

      You conflicted with their ideology and got a "-1 makes me uncomfortable" mod.

    2. Re: Issue with FSF statement... by samkass · · Score: 4, Insightful

      It's true, Apple releases the full source code to the UNIX underlying MacOS X, including all the user land command line utilities and the OS kernel. You can rebuild them all.

      So what is this article about?? Things are working exactly like FSF intended. Apple users can download the source to bash, patch it, and install it on their own machines. If people wait for the vendor to patch, what's the difference between it and closed source?

      --
      E pluribus unum
    3. Re:Issue with FSF statement... by Anonymous Coward · · Score: 0, Insightful

      Congratulations, asshat, you've successfully identified OS X as a commercial OS. Now that you've been awarded "I'm Right" points, would you be wiling to at least acknowledge the _fact_ that the BSD layer ("most of the operating system") is fully open source and that Apple's work in the open source community has benefited (and continues to benefit) many other environments well outside anything they'd make money from?

      There, doesn't it feel better not to be a complete fuck-wit?

    4. Re:Issue with FSF statement... by Richard_at_work · · Score: 3, Insightful

      The fact that its a blanket statement makes it inaccurate, when I can use and contribute to Katana, Kudu, Entity Framework, Asp.Net MVC, Helios, WebAPI, vNext and a host of other things on the MS side, or LLVM and others on the Apple side. Microsoft support of open source is the same as Gnu and FSF - they both support their own pet things and ignore hosts of other things.

      Patent license revenue is entirely an aside to this and has fuck all to do with the point at hand. Just because you are an open source project doesn't make you above patent law.

  3. Bash a bad fit for osx by staalmannen · · Score: 2, Insightful

    What Apple does (keeping an ancient non-gpl3 version of bash as primary shell) seems to be the worst possible solution. There are several powerful shells with liberal licences that would fit osx better: zsh (very powerful, globbing and spelling correction), mksh (light and fast but still full of features) or perhaps for the easy-to-use philosophy: fish. Osx already diverges significantly from other *nixes (case-insensitive, binary format, ...) so keeping bash for legacy support sounds strange - and if important they could just make it an optional install like in most BSDs...

  4. Probably good to give another 48 hours anyway by raymorris · · Score: 4, Insightful

    Some systems should be patched asap, of course, and we've patched our most critical systems. However, the bash team is still working out the best way to do a comprehensive fix, one that takes care of related issues as well as the initial exploit. As of Friday evening Red Hat and upstream bash were headed in two different directions. We'll be waiting until probably Monday evening to patch most of our systems, even the bash team decides what they're going to do and that gets implemented in rpms. It's not unreasonable for most OSX users to take care of it Monday or so, especially since most Macs don't have a public facing internet presence.

    If you're using OSX for an important public facing web server, you can update it today via configure; ./make; make install

  5. Is it actually a bug at all? by anynameleft · · Score: 5, Insightful

    Once upon a time, I learnt that one should not make setuid-root sh scripts, exactly because the shell has so many unpredictable ways to make your script unsecure and because secure input validation inside shell scripts itself is nearly impossible. So why do we have the situation now, that internet services are calling bash scripts to run as root with data input from the internet without proper validation?

    In other words: It's no wonder that bash is still 'vulnerable' after two patches, because it isn't supposed to be used like this. And the remaining problems are not a bug in bash, but wrong usage of bash.

  6. MS patented "open", funky licenses by raymorris · · Score: 4, Insightful

    > There can no be any 'suspect' in the 'openness' because they have agreed to the license

    In some cases, such as document formats, they have patents that apply. The _copyright_ license means you're not violating their _copyright_ by using/modifying/distributing the code, or code that has a similar function, but you're still subject to theor patents, so they can still sue you for millions and billions of dollars. The only protection you have for this code (and any code that reads or writes their format) is an informal promise that as long as they don't mind what you're doing, this year they won't sue you. That's certainly suspect. They might not completely screw everyone who touches their code, but they've reserved the right to do so.

    They also have a license which they call "open", but it sure doesn't read like any open source license before. "Hi, my name's Chelsea", their license purrs, with her adam's apple rising. Suspect.

  7. Use Macports by ugen · · Score: 3, Insightful

    Macports updated their version of bash. Get macports here, if you don't already have them, and install bash: https://www.macports.org/
    Make sure to move their bash into /bin and remove original Mac binary.