-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  git (SSA:2018-152-01)

New git packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,
14.2, and -current to fix security issues.


Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/git-2.14.4-i586-1_slack14.2.txz:  Upgraded.
  This update fixes security issues:
  Submodule "names" come from the untrusted .gitmodules file, but we
  blindly append them to $GIT_DIR/modules to create our on-disk repo
  paths. This means you can do bad things by putting "../" into the
  name. We now enforce some rules for submodule names which will cause
  Git to ignore these malicious names (CVE-2018-11235).
  Credit for finding this vulnerability and the proof of concept from
  which the test script was adapted goes to Etienne Stalmans.
  It was possible to trick the code that sanity-checks paths on NTFS
  into reading random piece of memory (CVE-2018-11233).
  Credit for fixing for these bugs goes to Jeff King, Johannes
  Schindelin and others.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11235
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11233
  (* Security fix *)
+--------------------------+


Where to find the new packages:
+-----------------------------+

Thanks to the friendly folks at the OSU Open Source Lab
(https://osuosl.org/) for donating FTP and rsync hosting
to the Slackware project!  :-)

Also see the "Get Slack" section on http://www.slackware.com/ for
additional mirror sites near you.

Updated package for Slackware 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/git-2.14.4-i486-1_slack13.0.txz

Updated package for Slackware x86_64 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/git-2.14.4-x86_64-1_slack13.0.txz

Updated package for Slackware 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/git-2.14.4-i486-1_slack13.1.txz

Updated package for Slackware x86_64 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/git-2.14.4-x86_64-1_slack13.1.txz

Updated package for Slackware 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/git-2.14.4-i486-1_slack13.37.txz

Updated package for Slackware x86_64 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/git-2.14.4-x86_64-1_slack13.37.txz

Updated package for Slackware 14.0:

Updated package for Slackware x86_64 14.0:

Updated package for Slackware 14.1:

Updated package for Slackware x86_64 14.1:

Updated package for Slackware 14.2:

Updated package for Slackware x86_64 14.2:

Updated package for Slackware -current:

Updated package for Slackware x86_64 -current:


MD5 signatures:
+-------------+

Slackware 13.0 package:
c2ad84d5f0e51131c349320231c08675  git-2.14.4-i486-1_slack13.0.txz

Slackware x86_64 13.0 package:
7ae974e6cbf9e9952c3b23704932a20e  git-2.14.4-x86_64-1_slack13.0.txz

Slackware 13.1 package:
c67fd56d50a633af8a73d1e798d53130  git-2.14.4-i486-1_slack13.1.txz

Slackware x86_64 13.1 package:
76a36b0566a6740ccb1f84471ec5982d  git-2.14.4-x86_64-1_slack13.1.txz

Slackware 13.37 package:
959c467327d3e13c3f695f44bd23966a  git-2.14.4-i486-1_slack13.37.txz

Slackware x86_64 13.37 package:
a7ae74f2bf301ae0692277150cb9f62d  git-2.14.4-x86_64-1_slack13.37.txz

Slackware 14.0 package:
f649ba29533e529695629f3ced5cfb60  git-2.14.4-i486-1_slack14.0.txz

Slackware x86_64 14.0 package:
72a672d0b644c292a0e0347587ddd410  git-2.14.4-x86_64-1_slack14.0.txz

Slackware 14.1 package:
95b25602b3eddcf093afa3856a5b63c9  git-2.14.4-i486-1_slack14.1.txz

Slackware x86_64 14.1 package:
f8005eaedd8defc142a18a0fb19b3f68  git-2.14.4-x86_64-1_slack14.1.txz

Slackware 14.2 package:
fa6d08ddf2f760f314206a04faeeb02e  git-2.14.4-i586-1_slack14.2.txz

Slackware x86_64 14.2 package:
37e04e3f2fb8a348ef7a79e4174aa18b  git-2.14.4-x86_64-1_slack14.2.txz

Slackware -current package:
a4d94a8d81e823f4cd745f6760700cc1  d/git-2.17.1-i586-1.txz

Slackware x86_64 -current package:
a87963571a912a32e120a396d09bd1eb  d/git-2.17.1-x86_64-1.txz


Installation instructions:
+------------------------+

Upgrade the package as root:
# upgradepkg git-2.14.4-i586-1_slack14.2.txz


+-----+

Slackware: 2018-152-01: git Security Update

June 1, 2018
New git packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues

Summary

Here are the details from the Slackware 14.2 ChangeLog: patches/packages/git-2.14.4-i586-1_slack14.2.txz: Upgraded. This update fixes security issues: Submodule "names" come from the untrusted .gitmodules file, but we blindly append them to $GIT_DIR/modules to create our on-disk repo paths. This means you can do bad things by putting "../" into the name. We now enforce some rules for submodule names which will cause Git to ignore these malicious names (CVE-2018-11235). Credit for finding this vulnerability and the proof of concept from which the test script was adapted goes to Etienne Stalmans. It was possible to trick the code that sanity-checks paths on NTFS into reading random piece of memory (CVE-2018-11233). Credit for fixing for these bugs goes to Jeff King, Johannes Schindelin and others. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11235 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11233 (* Security fix *)

Where Find New Packages

Thanks to the friendly folks at the OSU Open Source Lab (https://osuosl.org/) for donating FTP and rsync hosting to the Slackware project! :-)
Also see the "Get Slack" section on http://www.slackware.com/ for additional mirror sites near you.
Updated package for Slackware 13.0: ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/git-2.14.4-i486-1_slack13.0.txz
Updated package for Slackware x86_64 13.0: ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/git-2.14.4-x86_64-1_slack13.0.txz
Updated package for Slackware 13.1: ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/git-2.14.4-i486-1_slack13.1.txz
Updated package for Slackware x86_64 13.1: ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/git-2.14.4-x86_64-1_slack13.1.txz
Updated package for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/git-2.14.4-i486-1_slack13.37.txz
Updated package for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/git-2.14.4-x86_64-1_slack13.37.txz
Updated package for Slackware 14.0:
Updated package for Slackware x86_64 14.0:
Updated package for Slackware 14.1:
Updated package for Slackware x86_64 14.1:
Updated package for Slackware 14.2:
Updated package for Slackware x86_64 14.2:
Updated package for Slackware -current:
Updated package for Slackware x86_64 -current:

MD5 Signatures

Slackware 13.0 package: c2ad84d5f0e51131c349320231c08675 git-2.14.4-i486-1_slack13.0.txz
Slackware x86_64 13.0 package: 7ae974e6cbf9e9952c3b23704932a20e git-2.14.4-x86_64-1_slack13.0.txz
Slackware 13.1 package: c67fd56d50a633af8a73d1e798d53130 git-2.14.4-i486-1_slack13.1.txz
Slackware x86_64 13.1 package: 76a36b0566a6740ccb1f84471ec5982d git-2.14.4-x86_64-1_slack13.1.txz
Slackware 13.37 package: 959c467327d3e13c3f695f44bd23966a git-2.14.4-i486-1_slack13.37.txz
Slackware x86_64 13.37 package: a7ae74f2bf301ae0692277150cb9f62d git-2.14.4-x86_64-1_slack13.37.txz
Slackware 14.0 package: f649ba29533e529695629f3ced5cfb60 git-2.14.4-i486-1_slack14.0.txz
Slackware x86_64 14.0 package: 72a672d0b644c292a0e0347587ddd410 git-2.14.4-x86_64-1_slack14.0.txz
Slackware 14.1 package: 95b25602b3eddcf093afa3856a5b63c9 git-2.14.4-i486-1_slack14.1.txz
Slackware x86_64 14.1 package: f8005eaedd8defc142a18a0fb19b3f68 git-2.14.4-x86_64-1_slack14.1.txz
Slackware 14.2 package: fa6d08ddf2f760f314206a04faeeb02e git-2.14.4-i586-1_slack14.2.txz
Slackware x86_64 14.2 package: 37e04e3f2fb8a348ef7a79e4174aa18b git-2.14.4-x86_64-1_slack14.2.txz
Slackware -current package: a4d94a8d81e823f4cd745f6760700cc1 d/git-2.17.1-i586-1.txz
Slackware x86_64 -current package: a87963571a912a32e120a396d09bd1eb d/git-2.17.1-x86_64-1.txz

Severity
[slackware-security] git (SSA:2018-152-01)
New git packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.

Installation Instructions

Installation instructions: Upgrade the package as root: # upgradepkg git-2.14.4-i586-1_slack14.2.txz

Related News

4.Lock AbstractDigital Esm H320
2 - 3 min read
Recent research sheds light on the security vulnerabilities prevalent in Linux vendor kernels due to flawed engineering processes that backport
28.Lock Globe Esm H320
1 - 2 min read
The intersection of Linux and quantum computing has become increasingly apparent, emphasizing the importance of Linux-based operating systems in
6.EmailConnection Touch Esm H320
2 - 3 min read
Recent security updates for Ubuntu and Debian have been released to address vulnerabilities in Thunderbird, the popular open-source mail and
30.Lock Globe Motherboard Esm H320
1 - 2 min read
As cybersecurity practitioners, we are no strangers to the constant threat of malicious actors and the importance of remaining vigilant to protect
22.Lock ScreenEffect Esm H320
1 - 2 min read
EndeavorOS Gemini is a captivating and charming desktop operating system based on Arch Linux. The new release includes a kernel upgrade, 3D graphics
25.@Sign Hook Keyboard Esm H320
1 min read
Cyber risk is increasing for individuals and organizations, making flexible and robust solutions for identifying spam and malware increasingly
19.Laptop Bed Esm H320
2 - 3 min read
The recently released Linux Kernel 6.9 brings forth a blend of crucial upgrades and enhancements, catering to the ever-evolving needs of the Linux
4.Lock AbstractDigital Esm H320
1 - 2 min read
Nmap 7.95 introduces myriad enhancements, primarily focusing on OS and service detection signatures. This reflects the dedication of the Nmap

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved