1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 4581-1] git security update

    From Salvatore Bonaccorso@1:229/2 to All on Tue Dec 10 21:00:01 2019
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-4581-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso December 10, 2019 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : git
    CVE ID : CVE-2019-1348 CVE-2019-1349 CVE-2019-1352 CVE-2019-1353
    CVE-2019-1387 CVE-2019-19604

    Several vulnerabilities have been discovered in git, a fast, scalable, distributed revision control system.

    CVE-2019-1348

    It was reported that the --export-marks option of git fast-import is
    exposed also via the in-stream command feature export-marks=...,
    allowing to overwrite arbitrary paths.

    CVE-2019-1387

    It was discovered that submodule names are not validated strictly
    enough, allowing very targeted attacks via remote code execution
    when performing recursive clones.

    CVE-2019-19604

    Joern Schneeweisz reported a vulnerability, where a recursive clone
    followed by a submodule update could execute code contained within
    the repository without the user explicitly having asked for that. It
    is now disallowed for `.gitmodules` to have entries that set
    `submodule.<name>.update=!command`.

    In addition this update addresses a number of security issues which are
    only an issue if git is operating on an NTFS filesystem (CVE-2019-1349, CVE-2019-1352 and CVE-2019-1353).

    For the oldstable distribution (stretch), these problems have been fixed
    in version 1:2.11.0-3+deb9u5.

    For the stable distribution (buster), these problems have been fixed in
    version 1:2.20.1-2+deb10u1.

    We recommend that you upgrade your git packages.

    For the detailed security status of git please refer to its security
    tracker page at:
    https://security-tracker.debian.org/tracker/git

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----

    iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl3v+DpfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TR6Q/+IWXXUuRm25//+lK49cbuK/+FeJeflX+6jGM6xoCjolI5PytqxycP45xm rYhJfinm4slwb02m6i3nBlWQ1UQrIrJMqx0jYLIsPQy49vKyBrXXG10yTQXY0W6O Cu4UJyt0+vHciE6nCgJTqcHYfEAP8JcuTyVCd//mkKGN3XCWKllc31bTjzWq1OzI ssmZKJhx38uK2M+PyCIIiTHsZioW07j+Z80KbIBjExLRZx+5tggs46F/Az35hyQX Ff39tEPJm3Wx+9YkNBi7IIaRUQeYD8lcUfQydaVGT8qyR4uaAoztU9vWMDKGcMXd paZWr2OHu7q06QrTfbiZ1dnTaC5F88atgu7oy9689+MZjwyMCUCo6rloRCwDA+Sq EZaJYIeFeRM9G04FEwcvAwWiYaYFMbFM2rTh+dKccJArxm3eIvqlyQE+zuqbUkeh AMFKHDJknG3ilnlUZHG5PLWYMUnHRaIzTWEicppwe7RnbtrlMTPFCaVCXW90y2+5 lZAQYeGBh18CF7O5K2OJSFtcypx2Viu6hIARSdzwNsiF5im0iusOYk17XjrbEs3q Bvqf299HRYtzbhKG60BSxgUbFZi5rjMbVKOf5TYc0dGYmT2K1tkIMOkXDXRozjC0 qX4sPRldX+QZAtjJnpDvqmUNwXCpggfGlQFk2Dofph1a/kahwsY=
    =mFpS
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)