Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.2639 git-annex security update 6 September 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: git-annex Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-10859 CVE-2018-10857 CVE-2017-12976 Reference: ESB-2018.1958 ESB-2017.2746 Original Bulletin: https://lists.debian.org/debian-lts-announce/2018/09/msg00004.html - --------------------------BEGIN INCLUDED TEXT-------------------- Package : git-annex Version : 5.20141125+oops-1+deb8u2 CVE ID : CVE-2017-12976 CVE-2018-10857 CVE-2018-10859 Debian Bug : 873088 The git-annex package was found to have multiple vulnerabilities when operating on untrusted data that could lead to arbitrary command execution and encrypted data exfiltration. CVE-2017-12976 git-annex before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand= URL, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-1000116, and CVE-2017-1000117. CVE-2018-10857 git-annex is vulnerable to a private data exposure and exfiltration attack. It could expose the content of files located outside the git-annex repository, or content from a private web server on localhost or the LAN. CVE-2018-10859 git-annex is vulnerable to an Information Exposure when decrypting files. A malicious server for a special remote could trick git-annex into decrypting a file that was encrypted to the user's gpg key. This attack could be used to expose encrypted data that was never stored in git-annex For Debian 8 "Jessie", these problems have been fixed in version 5.20141125+oops-1+deb8u2. We recommend that you upgrade your git-annex packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEEexZCBNCWcjsBljWrPqHd3bJh2XsFAluQLnEACgkQPqHd3bJh 2Xt2iwf/Qeq7KERWFNb9xI6vYSC2dyXLCeROhVsEOOEdhUUQoMwoQ608Nz8u2pVg anIvMbNs7q7bSwIfUnw4yCOmX6CVDHoaOChx3KUy8w19TT4wTTX8xHVf3VLs3tA2 2fBHLOFRcvWUijswzaVnPSX+PaZWQ9z2oUE7U76QeRnx7EQzIQedOf0jotw+NM7y SSIpJq/QWR5UHGxyLM8LF9Lt8Duwua/ESnOzUu8hdYcduO+iN4eRV9zemQxxt77U 0sqBdYzeH6CgavBv4eOJaB5R0Cvkb0Q5jKRZwr2J5fCJGbIYCXOl7sD80GCLWomp Fvy2mgMN/OvQK0nHbmZoBLZKa79DuA== =dxA5 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW5BtdmaOgq3Tt24GAQglYhAAixKfUHlsve4Elt7gxQErXuYlELPmL9TT EkthM/ujzHhaBFwWOpoF7l5yMy4RbGkLCWQP0nNxgiv9D6rUuDXusancLrlPvTaf btL58asy1O8/i7SfF6Rz/ih0C/aOjA7Oqoh5yaJxAk2KW4HLBIuTPZG6y0VXwlZA UINhledUl62nywlwX2uY+bCqzFaIuyek86FHoNUf0pPglTvr7rMXhZuK6ecIEf/q q+i8yGKOnMzHnGtBWxd/hnxm1/G5slksuzpCHPhHmt975RJKGgIYUAqSWMiQfdoe rSgz0u2D+Cz0Rw8H+UG0B5qlX3nbr0rbXK0gAT6ji/Y1WND2qHW7tBgn9GqZmHsR XVV5NTGEG7viDHGt1NjmXJJ5saQAbINrmjSEE5SWJgdZvt+jikQQuKfHvdk9ZROl /z1i2OE6zj53/nsfV1Vzj2PBROIcuMGiVpLfa3Vi1w3/rl2a4swaHlzJq242WX0Z TNBwY8BTInwwiLLqbji5CI/V/iIBRockCOvIriI1ElFpkKOI6xVJtg15YsCZo2ub FiCUH4tXTXBglPiaga49AbZ44BnskZxqka04BqJ/ZSnqz94n2fwdxDtgz/U6nnD4 NBWlkIdQDB7xOKAtvObXpkezIu1Nnx924SayOinRddQ5LZdIRDa9hEZucMUScIRf Kf+v5hZro44= =5Mpz -----END PGP SIGNATURE-----