Explore top 10 tips to secure your open-source projects now. Read More
×
Arch Linux Security Advisory ASA-201705-14 ========================================= Severity: High Date : 2017-05-12 CVE-ID : CVE-2017-8386 Package : git Type : access restriction bypass Remote : Yes Link : https://security.archlinux.org/AVG-267 Summary ====== The package git before version 2.13.0-1 is vulnerable to access restriction bypass. Resolution ========= Upgrade to 2.13.0-1. # pacman -Syu "git>=2.13.0-1" The problem has been fixed upstream in version 2.13.0. Workaround ========= None. Description ========== A security issue has been found in git < 2.12.3, allowing a remote restricted user to execute an interactive pager on the server by causing it to spawn "git upload-pack --help". This is only an issue for servers running the "git-shell" restricted login shell. Impact ===== A remote attacker can use the interactive pager commands to access and modify arbitrary files on the affected host. If the login shell used is not git-shell, a remote attacker might also be able to run arbitrary commands on the affected host. References ========= https://lkml.iu.edu/hypermail/linux/kernel/1705.1/01337.html https://git.kernel.org/pub/scm/git/git.git/commit/?id=3ec804490a265f4c418a321428c12f3f18b7eff5 https://insinuator.net/2017/05/git-shell-bypass-by-abusing-less-cve-2017-8386/ https://security.archlinux.org/CVE-2017-8386