[deathanatos]

Uh, it's pretty well-known that Apple ships some absolutely ancient stuff in macOS. It can't be that hard to find a reference… but, here ya go:

  » curl --version
  curl 7.64.1 (x86_64-apple-darwin20.0) libcurl/7.64.1 (securetransport) libressl/2.8.3 zlib/1.2.11 nghttp2/1.41.0
  release-date: 2019-03-27
  protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
  features: asynchdns gss-api http2 https-proxy ipv6 kerberos largefile libz multissl ntlm ntlm_wb spnego ssl unixsockets
  » bash --version
  gnu bash, version 3.2.57(1)-release (x86_64-apple-darwin20)
  copyright (c) 2007 free software foundation, inc.

So unless Apple has some patches on top of that, as curl's website says, there are 22 vulns. in that 2.5 yo version.[1]

That version of bash is from about when the copyright indicates, i.e., 14 years ago. Thankfully there probably isn't a good exploit path for bash that doesn't already involve one being able to run code, but still, as a dev, it'd be nice to get a more recent version.

[1]: https://curl.se/docs/releases.html

[sbuk]

Subsequent versions of bash are GPLv3 “encumbered”. Apple as an organisation have decided that the best way to avoid potential licensing issues with GPLv3 is to avoid GPLv3, which appears to be part of the intent of GPLv3. Tell me, who is hurting consumers of software? I will accept that Apple is partly to blame - they could be, and should be more open and perhaps contribute more, or at least follow Google’s lead and use it as marketing. But the GPLv3 is a burdensome license that even the star of the movement has rejected. That is holding back OSS as much as anything else. Making it commercially hard to use the software isn’t helping adoption or contributions.