Debian: DSA-1841-1: New git-core packages fix denial of service

    Date25 Jul 2009
    CategoryDebian
    79
    Posted ByLinuxSecurity Advisories
    It was discovered that git-daemon which is part of git-core, a popular distributed revision control system, is vulnerable to denial of service attacks caused by a programming mistake in handling requests containing extra unrecognized arguments which results in an infinite loop. While
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    - --------------------------------------------------------------------------
    Debian Security Advisory DSA-1841-1                    This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                                 Nico Golde
    July 25th, 2009                         http://www.debian.org/security/faq
    - --------------------------------------------------------------------------
    
    Package        : git-core
    Vulnerability  : denial of service
    Problem type   : remote
    Debian-specific: no
    Debian bug     : 532935
    CVE ID         : CVE-2009-2108
    
    It was discovered that git-daemon which is part of git-core, a popular
    distributed revision control system, is vulnerable to denial of service
    attacks caused by a programming mistake in handling requests containing
    extra unrecognized arguments which results in an infinite loop. While
    this is no problem for the daemon itself as every request will spawn a
    new git-daemon instance, this still results in a very high CPU consumption
    and might lead to denial of service conditions.
    
    
    For the oldstable distribution (etch), this problem has been fixed in
    version 1.4.4.4-4+etch3.
    
    For the stable distribution (lenny), this problem has been fixed in
    version 1.5.6.5-3+lenny2.
    
    For the testing distribution (squeeze), this problem has been fixed in
    version 1:1.6.3.3-1.
    
    For the unstable distribution (sid), this problem has been fixed in
    version 1:1.6.3.3-1.
    
    
    We recommend that you upgrade your git-core packages.
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 4.0 alias etch
    - -------------------------------
    
    Debian (oldstable)
    - ------------------
    
    Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch3.diff.gz
        Size/MD5 checksum:    72125 920daf694b12a77e06f27324c61753fc
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4.orig.tar.gz
        Size/MD5 checksum:  1054130 99bc7ea441226f792b6f796a838e7ef0
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch3.dsc
        Size/MD5 checksum:      805 9fa69bdac10c46441712bcb97a8a9e65
    
    Architecture independent packages:
    
      http://security.debian.org/pool/updates/main/g/git-core/gitweb_1.4.4.4-4+etch3_all.deb
        Size/MD5 checksum:    89018 fa846f8c62895984a153dc720139280b
      http://security.debian.org/pool/updates/main/g/git-core/git-svn_1.4.4.4-4+etch3_all.deb
        Size/MD5 checksum:   100788 48ab52e7be61dcb5250ebda54e2d1126
      http://security.debian.org/pool/updates/main/g/git-core/git-cvs_1.4.4.4-4+etch3_all.deb
        Size/MD5 checksum:    94996 9233cd5e72daae479d299905eca84128
      http://security.debian.org/pool/updates/main/g/git-core/git-doc_1.4.4.4-4+etch3_all.deb
        Size/MD5 checksum:   572486 87737fc3ae4191051bd2712190f3fc19
      http://security.debian.org/pool/updates/main/g/git-core/git-email_1.4.4.4-4+etch3_all.deb
        Size/MD5 checksum:    63304 6c558ece1e80966bd662acc67749ac2e
      http://security.debian.org/pool/updates/main/g/git-core/git-daemon-run_1.4.4.4-4+etch3_all.deb
        Size/MD5 checksum:    55908 243dc1bc8acc538e45e2631c97771162
      http://security.debian.org/pool/updates/main/g/git-core/gitk_1.4.4.4-4+etch3_all.deb
        Size/MD5 checksum:   100154 892b5d12d207102f27db83d24b6178cb
      http://security.debian.org/pool/updates/main/g/git-core/git-arch_1.4.4.4-4+etch3_all.deb
        Size/MD5 checksum:    69016 4b5ddf573ebb0736e967e02a2b355cd3
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch3_alpha.deb
        Size/MD5 checksum:  3102126 6275cd993e070350bedcf9733e827da0
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch3_amd64.deb
        Size/MD5 checksum:  2641296 3dff7bca20524d55e6f9bf2323a8afc1
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch3_arm.deb
        Size/MD5 checksum:  2323022 de2a3964df5fe485a5fb56d009a62dc3
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch3_i386.deb
        Size/MD5 checksum:  2353750 97fb3bb60dbe68eeb5aae2604949e85c
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch3_ia64.deb
        Size/MD5 checksum:  3815890 4f6f57eb772f523cc243190cec885dc7
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch3_mips.deb
        Size/MD5 checksum:  2784346 af422088e354d29ca3c59aba1dba8110
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch3_powerpc.deb
        Size/MD5 checksum:  2654894 4cf6082256ec24bddce89d420920c49c
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch3_s390.deb
        Size/MD5 checksum:  2628316 433af991f74293d69fe64a41130def76
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch3_sparc.deb
        Size/MD5 checksum:  2301672 c79c01e50d773e64a268d2fcebd5385b
    
    
    Debian GNU/Linux 5.0 alias lenny
    - --------------------------------
    
    Debian (stable)
    - ---------------
    
    Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny2.diff.gz
        Size/MD5 checksum:   226798 5f4cc4a02e92213b0dad6c82e856ec2f
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5.orig.tar.gz
        Size/MD5 checksum:  2103619 c22da91c913a02305fd8a1a2298f75c9
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny2.dsc
        Size/MD5 checksum:     1331 b56dfde38fdf7f22cc2e27d744a67e90
    
    Architecture independent packages:
    
      http://security.debian.org/pool/updates/main/g/git-core/git-gui_1.5.6.5-3+lenny2_all.deb
        Size/MD5 checksum:   404642 e1036baa89a84e7162e4d487021f1881
      http://security.debian.org/pool/updates/main/g/git-core/git-arch_1.5.6.5-3+lenny2_all.deb
        Size/MD5 checksum:   230828 5caec9b6b0927af9de2df79b840b9d72
      http://security.debian.org/pool/updates/main/g/git-core/gitk_1.5.6.5-3+lenny2_all.deb
        Size/MD5 checksum:   301198 744e6545323dfabf86bedf142e2c8605
      http://security.debian.org/pool/updates/main/g/git-core/git-email_1.5.6.5-3+lenny2_all.deb
        Size/MD5 checksum:   229240 4d8a53527204bc0224869f55a8812209
      http://security.debian.org/pool/updates/main/g/git-core/git-svn_1.5.6.5-3+lenny2_all.deb
        Size/MD5 checksum:   268110 e3ad28d153ddaa0bcb56d717139e2e5f
      http://security.debian.org/pool/updates/main/g/git-core/git-daemon-run_1.5.6.5-3+lenny2_all.deb
        Size/MD5 checksum:   217726 4d256c215df877a8135f6df1069683e3
      http://security.debian.org/pool/updates/main/g/git-core/gitweb_1.5.6.5-3+lenny2_all.deb
        Size/MD5 checksum:   267514 1d05277557024dc82796a24b42519640
      http://security.debian.org/pool/updates/main/g/git-core/git-doc_1.5.6.5-3+lenny2_all.deb
        Size/MD5 checksum:  1248188 102d5fa3582d05804a1d16b5d01fb63d
      http://security.debian.org/pool/updates/main/g/git-core/git-cvs_1.5.6.5-3+lenny2_all.deb
        Size/MD5 checksum:   267328 9f7d38c746eb005ecc286002ddb878df
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny2_amd64.deb
        Size/MD5 checksum:  3427278 286213e394c88ef73638f667dd9ddc01
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny2_arm.deb
        Size/MD5 checksum:  3045546 e624c48ded4c1c00dacca13e7595b315
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny2_i386.deb
        Size/MD5 checksum:  3137530 a7a44faa83126a48803e02722b1cc5db
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny2_ia64.deb
        Size/MD5 checksum:  4759194 8bc9a6f73d11bca6818fd6f16ca20033
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny2_mips.deb
        Size/MD5 checksum:  3419202 e5ef2e34a07f5b6e1d1ede2184596925
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny2_mipsel.deb
        Size/MD5 checksum:  3420668 a39d630c3911e5fdf912f8beb8cb36f5
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny2_s390.deb
        Size/MD5 checksum:  3411278 13619ebe267fa193c8530d0466225f41
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny2_sparc.deb
        Size/MD5 checksum:  3069050 a18eb59eca3198e05a94ee896c71d272
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and http://packages.debian.org/
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"65","type":"x","order":"1","pct":57.52,"resources":[]},{"id":"88","title":"Should be more technical","votes":"15","type":"x","order":"2","pct":13.27,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"33","type":"x","order":"3","pct":29.2,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.