Nacionalni CERT

Sigurnosni nedostatak programskog paketa git

<p>--------------------------------------------------------------------------------<br />Fedora Update Notification<br />FEDORA-2017-66aa5d1d33<br />2017-10-11 14:44:29.265584<br />--------------------------------------------------------------------------------<br /><br />Name : git<br />Product : Fedora 25<br />Version : 2.9.5<br />Release : 2.fc25<br />URL : https://git-scm.com/<br />Summary : Fast Version Control System<br />Description :<br />Git is a fast, scalable, distributed revision control system with an<br />unusually rich command set that provides both high-level operations<br />and full access to internals.<br /><br />The git rpm installs common set of tools which are usually using with<br />small amount of dependencies. To install all git packages, including<br />tools for integrating with other SCMs, install the git-all meta-package.<br /><br />--------------------------------------------------------------------------------<br />Update Information:<br /><br />These releases are about hardening `git shell` that is used on servers against<br />an unsafe user input, which `git cvsserver` copes with poorly. From the release<br />notes: * "git cvsserver" no longer is invoked by "git shell" by default,<br />as it is old and largely unmaintained. * Various Perl scripts did not<br />use safe_pipe_capture() instead of backticks, leaving them susceptible to<br />end-user input. They have been corrected. Credits go to<br />joernchen &lt;joernchen@phenoelit.de&gt; for finding the unsafe constructs in "git<br />cvsserver", and to Jeff King at GitHub for finding and fixing instances of<br />the same issue in other scripts. References: &lt;http://seclists.org/oss-<br />sec/2017/q3/534&gt; &lt;https://public-<br />inbox.org/git/xmqqy3p29ekj.fsf@gitster.mtv.corp.google.com/&gt;<br />--------------------------------------------------------------------------------<br /><br />This update can be installed with the "dnf" update program. Use<br />su -c 'dnf upgrade git' at the command line.<br />For more information, refer to the dnf documentation available at<br />http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-lab... /><br />All packages are signed with the Fedora Project GPG key. More details on the<br />GPG keys used by the Fedora Project can be found at<br />https://fedoraproject.org/keys<br />--------------------------------------------------------------------------------<br />_______________________________________________<br />package-announce mailing list -- package-announce@lists.fedoraproject.org<br />To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org</p>
Otkriven je sigurnosni nedostatak u programskom paketu git za operacijski sustav Fedora. Otkriveni nedostatak potencijalnim napadačima omogućuje izvršavanje proizvoljnog programskog koda. Savjetuje se ažuriranje izdanim zakrpama.