Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 523
Alerts This Week
Warning Icon 1 523

Debian DSA-1708-1 Critical: Git Command Execution Remote Threat

debian
Calendar Grey January 19, 2009
Scroller Debian
Resolved a vulnerability related to remote command execution in gitweb as noted in Debian DSA-1708-1. It is recommended to upgrade Git packages to ensure enhanced security.
It was discovered that gitweb, the web interface for the Git version control system, contained several vulnerabilities: Remote attackers could use crafted requests to execute shell...

Summary

It was discovered that gitweb, the web interface for the Git version
control system, contained several vulnerabilities:

Remote attackers could use crafted requests to execute shell commands on
the web server, using the snapshot generation and pickaxe search
functionality (CVE-2008-5516).

Local users with write access to the configuration of a Git repository
served by gitweb could cause gitweb to execute arbitrary shell commands
with the permission of the web server (CVE-2008-5517).

For the stable distribution (etch), these problems have been fixed in
version 1.4.4.4-4+etch1.

For the unstable distribution (sid) and testing distribution (lenny),
the remote shell command injection issuei (CVE-2008-5516) has been fixed
in version 1.5.6-1. The other issue will be fixed soon.

We recommend that you upgrade your Git packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package m...

Read the Full Advisory

Severity
critical
Lowest
Low
Medium
High
Critical

Package: git-core

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.