Nacionalni CERT

Sigurnosni nedostatak programskog paketa git

<p>==========================================================================<br />Ubuntu Security Notice USN-3387-1<br />August 11, 2017<br /><br />git vulnerability<br />==========================================================================<br /><br />A security issue affects these releases of Ubuntu and its derivatives:<br /><br />- Ubuntu 17.04<br />- Ubuntu 16.04 LTS<br />- Ubuntu 14.04 LTS<br /><br />Summary:<br /><br />Git could be made run programs as your login if it opened a specially<br />crafted git repository.<br /><br />Software Description:<br />- git: fast, scalable, distributed revision control system<br /><br />Details:<br /><br />Brian Neel, Joern Schneeweisz, and Jeff King discovered that Git did<br />not properly handle host names in 'ssh://' URLs. A remote attacker<br />could use this to construct a git repository that when accessed could<br />run arbitrary code with the privileges of the user.<br /><br />Update instructions:<br /><br />The problem can be corrected by updating your system to the following<br />package versions:<br /><br />Ubuntu 17.04:<br /> git 1:2.11.0-2ubuntu0.2<br /><br />Ubuntu 16.04 LTS:<br /> git 1:2.7.4-0ubuntu1.2<br /><br />Ubuntu 14.04 LTS:<br /> git 1:1.9.1-1ubuntu0.6<br /><br />In general, a standard system update will make all the necessary changes.<br /><br />References:<br /> https://www.ubuntu.com/usn/usn-3387-1<br /> CVE-2017-1000117<br /><br />Package Information:<br /> https://launchpad.net/ubuntu/+source/git/1:2.11.0-2ubuntu0.2<br /> https://launchpad.net/ubuntu/+source/git/1:2.7.4-0ubuntu1.2<br /> https://launchpad.net/ubuntu/+source/git/1:1.9.1-1ubuntu0.6<br /><br />-----BEGIN PGP SIGNATURE-----<br /><br />iQIcBAABCgAGBQJZjTZnAAoJEC8Jno0AXoH0absQAIOYnqFdgjJCD/9u/pD95zG/<br />oBu9nZj9YM1Fmgad7NGyGJqXDiVDGs8p1hEJm2gcHq4fnODcf1nSVXWEwT8Wcw/I<br />O7kGWlAFJUIBtVT7E+UE54raB/qdxleZ37RNjPidx+QMMNQfLYyRAYESgGcgqhuN<br />Wlbqe58kiQhKtakPR6IXRb6WckctWahNHEBE7RaqbG0iklYH2We34ARpEV3rfdpx<br />93EffHlKXeE8LXPibGQGhBqesnqKpK3ZqDQxCJuNP4Hz+ERDv0WpJPjNqmQjgZaQ<br />+PkGN47jRI6qovqa1t+6Zo06Q/0jimyaT0kuayDW0q7IzMSfcDqnoYG5mYwqwJjS<br />RlU1W368hFeF+VGAlcNngXz2qaCjuLIUuP5woAQYF3vvNuZIS/J/7PPtWYtxcFUc<br />WQJKkfzSFhTVP0rlqPBSTJZ0SumnSBfpy9pJV3uqYTzv64EVMKsm2Of85o86UsyJ<br />vBUuDRuSPQdThw6AKP7dFM57oNGeDbk/afBhKjHNVPse/H3dsC70TNj97C01FaS6<br />fkdwToLjGYuD1SlyJn2bjIKJu2v5AeC6ts7TPB2OgqxXSnWFHWbC9P6ym2JbW6F7<br />6rZPsmAHJXWsy3unfyMbruxV39rt9JxHdMlqufP9jUVfx84TjuvxkGHHCrOrUdOE<br />uenw5IPnba7B69939Ih9<br />=4g2G<br />-----END PGP SIGNATURE-----<br />--</p>
Otkriven je sigurnosni nedostatak u programskom paketu git za operacijski sustav Ubuntu. Otkriveni nedostatak potencijalnim napadačima omogućuje izvršavanje proizvoljnog programskog koda s ovlastima korisnika. Savjetuje se ažuriranje izdanim zakrpama.