Disable function importing from the environment by default. This can be

enabled by using --import-functions or enabling the IMPORTFUNCTIONS option.

This removes the risk of further parser bugs leading to code execution, as
well as the risk to setuid scripts and poorly written applications that
do not cleanse their environment [1][2].

Also note that there is an unofficial 4.3.26 floating around that has not yet
been officially released.  r369261 covers the change in 4.3.26.

See also:
  http://seclists.org/oss-sec/2014/q3/747 [1]
  http://seclists.org/oss-sec/2014/q3/746 [2]
  http://seclists.org/oss-sec/2014/q3/755 [3]

Obtained from:	NetBSD (based on) [3]
PR:		193932
Reviewed by:	Eric Vangyzen
With hat:	portmgr

1 files changed, 16 insertions, 0 deletions

diff --git a/UPDATING b/UPDATING
index 583b1844796..c427f18ea15 100644
--- a/UPDATING
+++ b/UPDATING
@@ -6,6 +6,22 @@ You should get into the habit of checking this file for changes each time
 you update your ports collection, before attempting any port upgrades.
 
 20140926:
+  AFFECTS: users of shells/bash
+  AUTHOR: bdrewery@FreeBSD.org
+
+  Bash supports a feature of exporting functions in the environment with
+  export -f.  Running bash with exported functioned in the environment will
+  then import those functions into the environment.  This resulted in
+  security issues CVE-2014-6271 and CVE-2014-7169, commonly known as
+  "shellshock".
+
+  To fully mitigate against this sort of attack we have applied a non-upstream
+  patch to disable this functionality by default.  You can execute bash
+  with --import-functions to allow it to import functions from the
+  environment.  The default can also be changed in the port by selecting the
+  IMPORTFUNCTIONS option.
+
+20140926:
   AFFECTS: users of net/asterisk and net/asterisk11
   AUTHOR: madpilot@FreeBSD.org