I read the article A Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) this morning when I came into work. I have updated Bash on most of my systems that I am responsible for, however, I was asked to upgrade Bash on a couple of FreeBSD servers.
How do I check which version of Bash is running on FreeBSD and how do I patch it to get rid of this exploit?
You can verify the installed version of bash with
pkg info bash
The patched version of bash is already in the ports tree, you can therefore upgrade it like any application.
Once bash has been rebuilt by the package build farm, you can upgrade bash as you would upgrade any package, with
pkg upgrade bash
If you are not familiar with pkg you should read the appropriate chapter in the Handbook.
Important note. At the time of writing it seems that the package is not yet available, so here is the manual procedure to build your own package from sources:
1. Be sure to upgrade your ports tree before trying to upgrade.
2. Move your shell to the ports directory and build
cd /usr/ports/shell/bash
make BATCH=yes build
3. Replace the old batch with
make BATCH=yes deinstall
make BATCH=yes reinstall