Debian: DSA-4581-1: git security update
Debian: DSA-4581-1: git security update
Several vulnerabilities have been discovered in git, a fast, scalable, distributed revision control system. CVE-2019-1348
- ------------------------------------------------------------------------- Debian Security Advisory DSA-4581-1 This email address is being protected from spambots. You need JavaScript enabled to view it. https://www.debian.org/security/ Salvatore Bonaccorso December 10, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : git CVE ID : CVE-2019-1348 CVE-2019-1349 CVE-2019-1352 CVE-2019-1353 CVE-2019-1387 CVE-2019-19604 Several vulnerabilities have been discovered in git, a fast, scalable, distributed revision control system. CVE-2019-1348 It was reported that the --export-marks option of git fast-import is exposed also via the in-stream command feature export-marks=..., allowing to overwrite arbitrary paths. CVE-2019-1387 It was discovered that submodule names are not validated strictly enough, allowing very targeted attacks via remote code execution when performing recursive clones. CVE-2019-19604 Joern Schneeweisz reported a vulnerability, where a recursive clone followed by a submodule update could execute code contained within the repository without the user explicitly having asked for that. It is now disallowed for `.gitmodules` to have entries that set `submodule..update=!command`. In addition this update addresses a number of security issues which are only an issue if git is operating on an NTFS filesystem (CVE-2019-1349, CVE-2019-1352 and CVE-2019-1353). For the oldstable distribution (stretch), these problems have been fixed in version 1:2.11.0-3+deb9u5. For the stable distribution (buster), these problems have been fixed in version 1:2.20.1-2+deb10u1. We recommend that you upgrade your git packages. For the detailed security status of git please refer to its security tracker page at: https://security-tracker.debian.org/tracker/git Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.