Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0875 -- [UNIX/Linux][Debian] New git-core packages fix buffer overflow 16 September 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: git-core Publisher: Debian Operating System: Debian GNU/Linux 4.0 UNIX variants (UNIX, Linux, OSX) Impact: Execute Arbitrary Code/Commands Access: Remote/Unauthenticated CVE Names: CVE-2008-3546 Original Bulletin: http://www.debian.org/security/2008/dsa-1637 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------ Debian Security Advisory DSA-1637-1 security@debian.org http://www.debian.org/security/ Devin Carraway September 15, 2008 http://www.debian.org/security/faq - - ------------------------------------------------------------------------ Package : git-core Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no CVE Id(s) : CVE-2008-3546 Debian Bug : 494097 Multiple vulnerabilities have been identified in git-core, the core of the git distributed revision control system. Improper path length limitations in git's diff and grep functions, in combination with maliciously crafted repositories or changes, could enable a stack buffer overflow and potentially the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies this vulnerabilitiy as CVE-2008-3546. For the stable distribution (etch), this problem has been fixed in version 1.4.4.4-2.1+etch1. For the unstable distribution (sid), this problem has been fixed in version 1.5.6.5-1. We recommend that you upgrade your git-core packages. Upgrade instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - - ------------------------------- Debian (stable) - - --------------- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-2.1+etch1.dsc Size/MD5 checksum: 801 e1da32690d937c31112734e3a568a6b2 http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4.orig.tar.gz Size/MD5 checksum: 1054130 99bc7ea441226f792b6f796a838e7ef0 http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-2.1+etch1.diff.gz Size/MD5 checksum: 80042 b10d0f2f899b73e92cc22fd0e7616f8a Architecture independent packages: http://security.debian.org/pool/updates/main/g/git-core/git-arch_1.4.4.4-2.1+etch1_all.deb Size/MD5 checksum: 68534 bc1c4be53e445eb2a9a1cba42410f85e http://security.debian.org/pool/updates/main/g/git-core/git-cvs_1.4.4.4-2.1+etch1_all.deb Size/MD5 checksum: 93752 fbbef80ad27745f79072bce3e5ae3a96 http://security.debian.org/pool/updates/main/g/git-core/git-email_1.4.4.4-2.1+etch1_all.deb Size/MD5 checksum: 62850 dfaff5a7df0025792768a536fae519af http://security.debian.org/pool/updates/main/g/git-core/gitweb_1.4.4.4-2.1+etch1_all.deb Size/MD5 checksum: 88008 b10f4275020e838c1fb1a1af6ccef056 http://security.debian.org/pool/updates/main/g/git-core/git-daemon-run_1.4.4.4-2.1+etch1_all.deb Size/MD5 checksum: 55366 5b7be4b5951849b301d1faddf831dff8 http://security.debian.org/pool/updates/main/g/git-core/git-doc_1.4.4.4-2.1+etch1_all.deb Size/MD5 checksum: 466200 0a21d338c7741147ff36242abaf3b402 http://security.debian.org/pool/updates/main/g/git-core/git-svn_1.4.4.4-2.1+etch1_all.deb Size/MD5 checksum: 100590 990844afb17ba526bbffb49796497b6e http://security.debian.org/pool/updates/main/g/git-core/gitk_1.4.4.4-2.1+etch1_all.deb Size/MD5 checksum: 99352 a2d4c126758efa9fa9a549e8736f80a3 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-2.1+etch1_alpha.deb Size/MD5 checksum: 3092536 10a91198e5606dc6b1f6037803389d53 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-2.1+etch1_amd64.deb Size/MD5 checksum: 2627502 3fad9097fef2d907e66a28c9cb3f9684 arm architecture (ARM) http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-2.1+etch1_arm.deb Size/MD5 checksum: 2317560 de4bd89d3a608df2b1216f86cf0b8b53 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-2.1+etch1_hppa.deb Size/MD5 checksum: 2692126 53c2bf7b21e779e94c34405201be7910 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-2.1+etch1_i386.deb Size/MD5 checksum: 2330734 769253444bc1f266f706bc742bec86ee ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-2.1+etch1_ia64.deb Size/MD5 checksum: 3813238 65d7e5064d427e425173653300a6b5c6 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-2.1+etch1_mips.deb Size/MD5 checksum: 2784982 4cd7c71d0cb63880562ec56b9c30ba0f mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-2.1+etch1_mipsel.deb Size/MD5 checksum: 2799604 8cedf2b70c763b893500a04d42ffa82d powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-2.1+etch1_powerpc.deb Size/MD5 checksum: 2636198 fe400a070ce9d89c60dc619334501d94 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-2.1+etch1_s390.deb Size/MD5 checksum: 2620338 2c0192889678a8159a26c1f8c9d3a970 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-2.1+etch1_sparc.deb Size/MD5 checksum: 2278862 cd969645dfe4fb36e457dabc3a5c7516 These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFIzg5eU5XKDemr/NIRAtskAKDb86DRKtjvC4xLal3kgdnQcL6GOQCfaKqO 8yxmorHwWyHkVLSsGB1WikQ= =0rLf - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBSM74Zih9+71yA2DNAQIfsgP+Pep10IUoytgKajaWS+4PM03uLkC3p2LP qritcqEQ//s7dNpcd0j03ewDI+uZdNVBv9a1U+OhbMti+wS9DoOmJuPeoEHe5JA2 wvBLAHbpDJ7458eJftC8BUU4NTQypjYbPQYIgsrTKZoUiC+mE9Xez2g6kW4/4hb5 d8fkwWggFpI= =Zx9u -----END PGP SIGNATURE-----