ESB-2017.2452 - [UNIX/Linux][Debian] git: Execute arbitrary code/commands - Existing account 2017-09-29

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2452
                            git security update
                             29 September 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           git
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   Debian GNU/Linux 9
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-14867  

Original Bulletin: 
   http://www.debian.org/security/2017/dsa-3984

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running git check for an updated version of the software for their 
         operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3984-1                   security@debian.org
https://www.debian.org/security/                           Florian Weimer
September 26, 2017                    https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : git
Debian Bug     : 876854

joernchen discovered that the git-cvsserver subcommand of Git, a
distributed version control system, suffers from a shell command
injection vulnerability due to unsafe use of the Perl backtick
operator.  The git-cvsserver subcommand is reachable from the
git-shell subcommand even if CVS support has not been configured
(however, the git-cvs package needs to be installed).

In addition to fixing the actual bug, this update removes the
cvsserver subcommand from git-shell by default.  Refer to the updated
documentation for instructions how to reenable in case this CVS
functionality is still needed.

For the oldstable distribution (jessie), this problem has been fixed
in version 1:2.1.4-2.1+deb8u5.

For the stable distribution (stretch), this problem has been fixed in
version 1:2.11.0-3+deb9u2.

For the unstable distribution (sid), this problem has been fixed in
version 1:2.14.2-1.

We recommend that you upgrade your git packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEyNPZz/qecFY/MvpUv3v/BALVJL4FAlnKuTMACgkQv3v/BALV
JL4vRAf/ZGL0X5EldvWKCmMBr0kyKvpZz4+RoD8Vh8QVBIhpsnvDFcmAujvME5/l
/1++ItaL6vui3+cevs1Stgg4FUqz5BRHfMd6NyQIXYfYR7Gke6gUWHnJRHPObOO9
kP2vLWROYfeJ3u7CBqmVy/dJMPfu1X11Ye1M2PGj9qHej5OShxeC8LIQ7PNGY8fb
YFANcYlroA/XuOGv3PCFgzmz30WJud+5oynBfPdHY3MxXKC//MKF4vKPvDhncoGc
D8lQwOXQ0iSinpRG3II9gf4bmQ/ijHgNPedCMzdHcENFWuV18UO8m5sqLbPg0m+S
UoHfNjsbSkXpRgJtldzRKeebO1NsNQ==
=HGmr
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWc2Kv4x+lLeg9Ub1AQhCvg//dLo3d1Ix0HkMopvkCMBHcfGpE+2znhCK
VNcDx2Ziw1YUwatoy5HSCNRBQyEkxA+CXnQwcRJ8dx5PHNhTotwnpu8PtRt4VP4K
icpjENYNswqu1qvRMec4ESLxh/suFzYsJM1IQWC0IsfUk0l6h3f7i7eQO6uFKoVY
8oieL857wfry1YzcNZvJEBMkfXbntw1pEx7McJWYRdQnzKn2VA8siEwGRBJPIajH
Tce6pCCARYiS+Y2TQSbRXdPEOUbb28Jdciq4Wn3BUtuaIdrEN6y/fu3OPWER0xD+
HyJMntTDBqlY8PqSf183DfKpe4ZcQWQbmMjkYMU5zyofBehBV94D6ipVO+YmzzB3
mfstFw1SL0HuZXIuhZXcx+S0FUxu1JBx+WHm/H6iFLA4wwVXq4NX5FZ7vcVW7PlW
tWcu2rKLN1NMrir5zN2fLnb1NRdiqKgsmCDsmdOFW9x37fPCCNS9nUJ9+aK4K9xF
rpxIKr9amNaS1zEgyv4fDw09NeCzf2Ven6uj5OBg3ABQXvPQr/lofMPOKREKwHXj
W0niBb6OWFVcS2BdaGmr57dxY5pC33CCwrITesuW7/qol122e++860uKq6mUAj/i
Tzbi1ONqU7VVGcGeMqXpKK45aY5537+H8i5ZVA04F1seoMXL9RwYgh7dDoNY8nXf
g+HjT7Kk8k0=
=kclV
-----END PGP SIGNATURE-----

« Back to bulletins