Univention Bugzilla – Bug 45235
git: Multiple issues (4.2)
Last modified: 2018-05-08 14:56:30 CEST
Upstream Debian package version 1:2.1.4-2.1+deb8u4 fixes: * Command injection via malicious ssh URLs (CVE-2017-1000117)
1:2.1.4-2.1+deb8u5 fixes: * the git-cvsserver subcommand of Git, a distributed version control system, suffers from a shell command injection vulnerability due to unsafe use of the Perl backtick operator. The git-cvsserver subcommand is reachable from the git-shell subcommand even if CVS support has not been configured (however, the git-cvs package needs to be installed) (CVE-2017-14867)
Mass-import from Debian-Security: python -m univention.repong.^Cbmirror -s jessie -r 4.2-3 --override=$HOME/REPOS/repo-ng/mirror/update_ucs42_mirror_from_debian.yml --errata=doc/errata --sql --process=ALL -vvvv --now=201801211553 YAML: git:bd6159834a..449aa5a7cf
--- mirror/ftp/4.2/unmaintained/4.2-2/source/git_2.1.4-2.1+deb8u3.dsc +++ apt/ucs_4.2-0-errata4.2-3/source/git_2.1.4-2.1+deb8u5.dsc @@ -1,3 +1,31 @@ +1:2.1.4-2.1+deb8u5 [Mon, 25 Sep 2017 12:12:03 -0700] Jonathan Nieder <jrnieder@gmail.com>: + + * Fix remote shell command execution via CVS protocol: + - git-shell: drop cvsserver support by default + - git-cvsserver: harden backtick captures against user input + * Avoid shell command injection in other commands as well: + - git-cvsimport: harden backtick captures against user input + - git-archimport: harden backtick captures against user input + + Thanks to joernchen of Phenoelit for discovering, reporting, and + fixing this vulnerability, and to Junio C Hamano and Jeff King for + the fixes to related issues. + +1:2.1.4-2.1+deb8u4 [Wed, 09 Aug 2017 23:30:50 -0700] Jonathan Nieder <jrnieder@gmail.com>: + + * Fix CVE-2017-1000117, arbitrary code execution issues via URLs: + - reject ssh hostname that begins with a dash + - add test for hostname starting with dash to the testsuite + - factor out "looks like command line option" check + - reject dashed arguments to $GIT_PROXY_COMMAND + - ssh:// and local URLs: reject path to repositories that look + like command line options + + Thanks to Joern Schneeweisz of Recurity Labs for discovering this + vulnerability, Brian Neel at GitLab for reporting it to the Git + project, and Junio Hamano and Jeff King for writing the patches to + address it. + 1:2.1.4-2.1+deb8u3 [Tue, 09 May 2017 16:18:46 -0700] Jonathan Nieder <jrnieder@gmail.com>: * Do not allow git helpers run via git-shell to launch a pager
* No UCS specific patches * Comparison to previously shipped version ok * Binary package update Ok * Advisory Ok
<http://errata.software-univention.de/ucs/4.2/376.html>