Debian: DSA-1708-1: New Git packages fix remote code execution

    Date19 Jan 2009
    CategoryDebian
    21
    Posted ByLinuxSecurity Advisories
    It was discovered that gitweb, the web interface for the Git version control system, contained several vulnerabilities: Remote attackers could use crafted requests to execute shell commands on
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    - ------------------------------------------------------------------------
    Debian Security Advisory DSA-1708-1                  This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                           Florian Weimer
    January 19, 2009                      http://www.debian.org/security/faq
    - ------------------------------------------------------------------------
    
    Package        : git-core
    Vulnerability  : shell command injection
    Problem type   : remote
    Debian-specific: no
    CVE Id(s)      : CVE-2008-5516 CVE-2008-5517
    Debian Bug     : 512330
    
    It was discovered that gitweb, the web interface for the Git version
    control system, contained several vulnerabilities:
    
    Remote attackers could use crafted requests to execute shell commands on
    the web server, using the snapshot generation and pickaxe search
    functionality (CVE-2008-5516).
    
    Local users with write access to the configuration of a Git repository
    served by gitweb could cause gitweb to execute arbitrary shell commands
    with the permission of the web server (CVE-2008-5517).
    
    For the stable distribution (etch), these problems have been fixed in
    version 1.4.4.4-4+etch1.
    
    For the unstable distribution (sid) and testing distribution (lenny),
    the remote shell command injection issuei (CVE-2008-5516) has been fixed
    in version 1.5.6-1.  The other issue will be fixed soon.
    
    We recommend that you upgrade your Git packages.
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 4.0 alias etch
    - -------------------------------
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4.orig.tar.gz
        Size/MD5 checksum:  1054130 99bc7ea441226f792b6f796a838e7ef0
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1.diff.gz
        Size/MD5 checksum:    88583 47033ef17360b441eb508094a3ab6b2b
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1.dsc
        Size/MD5 checksum:     1097 b907083d358ff2dc892790569fe3a164
    
    Architecture independent packages:
    
      http://security.debian.org/pool/updates/main/g/git-core/gitweb_1.4.4.4-4+etch1_all.deb
        Size/MD5 checksum:    89094 1dc1b790f989600d62ba2d347d890a43
      http://security.debian.org/pool/updates/main/g/git-core/git-daemon-run_1.4.4.4-4+etch1_all.deb
        Size/MD5 checksum:    55504 7d1a4bf7bf17f179f94f513fc56f1ffc
      http://security.debian.org/pool/updates/main/g/git-core/git-svn_1.4.4.4-4+etch1_all.deb
        Size/MD5 checksum:   100426 149f0e2dda76e4d7613200d530db9e67
      http://security.debian.org/pool/updates/main/g/git-core/gitk_1.4.4.4-4+etch1_all.deb
        Size/MD5 checksum:    99598 800ea1d003baf1e348fda3b661fc16ed
      http://security.debian.org/pool/updates/main/g/git-core/git-doc_1.4.4.4-4+etch1_all.deb
        Size/MD5 checksum:   453076 4d102f5051116516cf4cc45b10637871
      http://security.debian.org/pool/updates/main/g/git-core/git-email_1.4.4.4-4+etch1_all.deb
        Size/MD5 checksum:    62792 201df12660ca0b6180e5fa3c5e0a3543
      http://security.debian.org/pool/updates/main/g/git-core/git-arch_1.4.4.4-4+etch1_all.deb
        Size/MD5 checksum:    68508 1489a2af3d016ff8b1a4c612365870b8
      http://security.debian.org/pool/updates/main/g/git-core/git-cvs_1.4.4.4-4+etch1_all.deb
        Size/MD5 checksum:    94516 afef0aca9b13d1d50af28cbb0d9cc1aa
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1_alpha.deb
        Size/MD5 checksum:  3101926 6422c5ad17a7248820c3c27195051b0c
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1_amd64.deb
        Size/MD5 checksum:  2642144 b81b341dce9b234eb193d40decd1283b
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1_arm.deb
        Size/MD5 checksum:  2322772 d5c371c8f6f3923edaf880df795870e4
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1_hppa.deb
        Size/MD5 checksum:  2693958 c519a9e4cfeda0f11fe92e23756c6759
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1_i386.deb
        Size/MD5 checksum:  2340718 94abafaa8e010240a6a2da50ca717217
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1_ia64.deb
        Size/MD5 checksum:  3815660 9b0970058eecaf9abd12e5cc472d0434
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1_mips.deb
        Size/MD5 checksum:  2784146 b345d0ffd96b307025924f99fed33e9e
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1_mipsel.deb
        Size/MD5 checksum:  2801244 7067901dea12981db4f09e186888e5b3
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1_powerpc.deb
        Size/MD5 checksum:  2638996 23afd3d0fc61699d0850793c2dbd0047
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1_s390.deb
        Size/MD5 checksum:  2628016 8f29e9b8b465bf570e8ee7bf78e3437d
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1_sparc.deb
        Size/MD5 checksum:  2301444 93f43ba8edfb78438a6d7d66b96e4816
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and http://packages.debian.org/
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    Do you read our distribution advisories on a regular basis?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /component/communitypolls/?task=poll.vote&format=json
    23
    radio
    [{"id":"84","title":"Yes, for a single distribution","votes":"0","type":"x","order":"1","pct":0,"resources":[]},{"id":"85","title":"Yes, for multiple distributions","votes":"6","type":"x","order":"2","pct":60,"resources":[]},{"id":"86","title":"No","votes":"4","type":"x","order":"3","pct":40,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.