Daniel Staal DStaal at usa.net
Thu Sep 25 04:38:07 UTC 2014

--As of September 25, 2014 4:05:16 AM +0900, Randy Bush is alleged to have 

> there is an update out you want.  badly.
> debian/ubuntu admins may want to apt-get update/upgrade or whatever
> freebsd similarly
> can not speak for other systems

--As for the rest, it is mine.

FreeBSD (and other BSDs, as far as I can tell) are not affected unless the 
admin has installed bash specifically; it's not part of the default 
install.  It may however have been installed as part of the requirements 
for something else.

This also should mean that the vulnerability is a bit more limited than in 
systems that use bash for /bin/sh: Even if you've installed bash, you 
aren't as likely to be running it in CGI or other similar contexts.  (Not 
that that means it's blocked entirely if you've installed it, but it should 

As of Wednsday afternoon, FreeBSD ports had the update but packages did not 

Daniel T. Staal

This email copyright the author.  Unless otherwise noted, you
are expressly allowed to retransmit, quote, or otherwise use
the contents for non-commercial purposes.  This copyright will
expire 5 years after the author's death, or in 30 years,
whichever is longer, unless such a period is in excess of
local copyright law.

More information about the NANOG mailing list