Accepted git 1:2.1.4-2.1+deb8u4 (source amd64 all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 09 Aug 2017 23:30:50 -0700
Source: git
Binary: git git-man git-core git-doc git-arch git-cvs git-svn git-mediawiki git-email git-daemon-run git-daemon-sysvinit git-gui gitk git-el gitweb git-all
Architecture: source amd64 all
Version: 1:2.1.4-2.1+deb8u4
Distribution: jessie-security
Urgency: high
Maintainer: Gerrit Pape <pape@smarden.org>
Changed-By: Jonathan Nieder <jrnieder@gmail.com>
Description:
git - fast, scalable, distributed revision control system
git-all - fast, scalable, distributed revision control system (all subpacka
git-arch - fast, scalable, distributed revision control system (arch interop
git-core - fast, scalable, distributed revision control system (obsolete)
git-cvs - fast, scalable, distributed revision control system (cvs interope
git-daemon-run - fast, scalable, distributed revision control system (git-daemon s
git-daemon-sysvinit - fast, scalable, distributed revision control system (git-daemon s
git-doc - fast, scalable, distributed revision control system (documentatio
git-el - fast, scalable, distributed revision control system (emacs suppor
git-email - fast, scalable, distributed revision control system (email add-on
git-gui - fast, scalable, distributed revision control system (GUI)
git-man - fast, scalable, distributed revision control system (manual pages
git-mediawiki - fast, scalable, distributed revision control system (MediaWiki in
git-svn - fast, scalable, distributed revision control system (svn interope
gitk - fast, scalable, distributed revision control system (revision tre
gitweb - fast, scalable, distributed revision control system (web interfac
Changes:
git (1:2.1.4-2.1+deb8u4) jessie-security; urgency=high
.
* Fix CVE-2017-1000117, arbitrary code execution issues via URLs:
- reject ssh hostname that begins with a dash
- add test for hostname starting with dash to the testsuite
- factor out "looks like command line option" check
- reject dashed arguments to $GIT_PROXY_COMMAND
- ssh:// and local URLs: reject path to repositories that look
like command line options
.
Thanks to Joern Schneeweisz of Recurity Labs for discovering this
vulnerability, Brian Neel at GitLab for reporting it to the Git
project, and Junio Hamano and Jeff King for writing the patches to
address it.
Checksums-Sha1:
346379befa09cf5bcd8e296357aadef9b3f7fa54 2803 git_2.1.4-2.1+deb8u4.dsc
c858fb3b6d34a25a8a08097a7824ebf21983889e 477096 git_2.1.4-2.1+deb8u4.debian.tar.xz
171aba2ed52eeacb91dfcac4897e98567f9e981f 3692788 git_2.1.4-2.1+deb8u4_amd64.deb
b6de96375ec69ae90a487fe15df5a4ff8a79e97f 1408962 git-doc_2.1.4-2.1+deb8u4_all.deb
88f075f9bbfd1918bb861a30bb9956c30c6e443d 588666 git-arch_2.1.4-2.1+deb8u4_all.deb
b6adcd4c904e1ed67b74452e4ce8ec8eec9e1b44 638558 git-cvs_2.1.4-2.1+deb8u4_all.deb
5d221f240b245689664ef41d4fe63ecb23ea5998 662344 git-svn_2.1.4-2.1+deb8u4_all.deb
4ebaa1356119c51375beaa891a33ca367d4f7872 591042 git-mediawiki_2.1.4-2.1+deb8u4_all.deb
29d76bdca07905103ce1c26933c6b8935975bd4e 576986 git-daemon-run_2.1.4-2.1+deb8u4_all.deb
42332b8be7caa831a163fef654f7eb28de2ce452 577942 git-daemon-sysvinit_2.1.4-2.1+deb8u4_all.deb
e17ee5f15a959af84a5813ac54d7abf735733655 594974 git-email_2.1.4-2.1+deb8u4_all.deb
4f0985a9617dc017c83bce5c9be914203ceb08f6 766530 git-gui_2.1.4-2.1+deb8u4_all.deb
6edf2c65671bfcbc07b86c144905408fe95cdbbf 695016 gitk_2.1.4-2.1+deb8u4_all.deb
ef002de8f534b9e092db71c075ba1529ba3a4782 579862 gitweb_2.1.4-2.1+deb8u4_all.deb
fae5ecebf747aba2fca198c0ca5ca2b545abd2c0 575304 git-all_2.1.4-2.1+deb8u4_all.deb
a602ee8dca12d1fab60a1cf2b101871ea43fbd2d 594944 git-el_2.1.4-2.1+deb8u4_all.deb
bc1ceb4b17152898e020aa743989f14dc5cdb809 1267352 git-man_2.1.4-2.1+deb8u4_all.deb
589753f71d6b7006c3e91ed5f0add568da17b555 1498 git-core_2.1.4-2.1+deb8u4_all.deb
Checksums-Sha256:
a1fd74ba02143befafcf19106a593154faa0be6cc55626feea0462c8383b528d 2803 git_2.1.4-2.1+deb8u4.dsc
5b4605339b7eab5d565ca269a8e519b2e3e2fa4a7e62327212080ef2aa3bb4e8 477096 git_2.1.4-2.1+deb8u4.debian.tar.xz
49c2903e3b8c11690502827e01ce0f4af6213526fffcd6bd82cf09d53b147454 3692788 git_2.1.4-2.1+deb8u4_amd64.deb
a51f103716f73a82e62185dc458f27fce97480c03626a488965a3981acd210c2 1408962 git-doc_2.1.4-2.1+deb8u4_all.deb
be2b8115d2fac2b6cf79bc7a91ab73ecbe4407e21b30011518498543c2b81bb5 588666 git-arch_2.1.4-2.1+deb8u4_all.deb
0917e4b54f09ca2c2807432f730947a42647aa22aa312e149295238f9b7561a8 638558 git-cvs_2.1.4-2.1+deb8u4_all.deb
f879b3a14a3d1eb499707c293b9ba569400510cd4af11d6b10ad098cc8eaa675 662344 git-svn_2.1.4-2.1+deb8u4_all.deb
5c0cbabcfdf59509cbc06e511778672e247355e263b542c401f7014fcb0bf85c 591042 git-mediawiki_2.1.4-2.1+deb8u4_all.deb
a694a2464001c34bae613167ed60fa473151b7b42d6fce943e6e5570e2565efa 576986 git-daemon-run_2.1.4-2.1+deb8u4_all.deb
e6e2f831e226c4fe3863308ffd6c344f0d12c5e4e940065016c5c918612739b9 577942 git-daemon-sysvinit_2.1.4-2.1+deb8u4_all.deb
99e18248ab4cf4f32c7808539ad3db6745e6928e6c973745ac2c9fab8cd863b5 594974 git-email_2.1.4-2.1+deb8u4_all.deb
d729c65ec8249ee9295b5c65381a32bb4b4493d777607e15cc055af4b5ccc6f9 766530 git-gui_2.1.4-2.1+deb8u4_all.deb
2894d24af5c27fa388c6e3dacedf45937e3f8b8eaac72a59851cbd920f9ab8e3 695016 gitk_2.1.4-2.1+deb8u4_all.deb
45026f213f3727bace3b091566b5abdb55cbd6b818b60301f43aeacfde320020 579862 gitweb_2.1.4-2.1+deb8u4_all.deb
0441c2ffbe46933c61d098473be5c59485e5e8c1d676bf5fcd16f51c3097c61c 575304 git-all_2.1.4-2.1+deb8u4_all.deb
1e9d5223b8df42f14d9448eae4f87bcb394eead9c3cdf042ea8991030d42f79f 594944 git-el_2.1.4-2.1+deb8u4_all.deb
5e0d63c3b8a0b77fa632bbf902524063546005ba3e064864c2ff7e273bfc01ff 1267352 git-man_2.1.4-2.1+deb8u4_all.deb
c42f6732bf2af56db161bc2788513a4ed5268852e6d44f5437727c17bcf1dc26 1498 git-core_2.1.4-2.1+deb8u4_all.deb
Files:
03928609a160d0f90e9255cd794d8a0f 2803 vcs optional git_2.1.4-2.1+deb8u4.dsc
5e673d130869bcf6372ff15be506cd18 477096 vcs optional git_2.1.4-2.1+deb8u4.debian.tar.xz
96b974a56af28d1f9c09fcf4e16aad02 3692788 vcs optional git_2.1.4-2.1+deb8u4_amd64.deb
411b79ad3dd20450709d009c5b2168e2 1408962 doc optional git-doc_2.1.4-2.1+deb8u4_all.deb
2d7e4a1471380e2902a90859262176e4 588666 vcs optional git-arch_2.1.4-2.1+deb8u4_all.deb
4f1335edf4352e50e8bdf63e62a1b1a2 638558 vcs optional git-cvs_2.1.4-2.1+deb8u4_all.deb
20054c5d8de11d1a7ac6ec71e3aab8cc 662344 vcs optional git-svn_2.1.4-2.1+deb8u4_all.deb
918623bfa899b6557046abb39a120ae1 591042 vcs optional git-mediawiki_2.1.4-2.1+deb8u4_all.deb
eadfbb552b04c8cfcd1fd741b801e692 576986 vcs optional git-daemon-run_2.1.4-2.1+deb8u4_all.deb
ab37f10d5844f7b1a76abeec0c3e865f 577942 vcs extra git-daemon-sysvinit_2.1.4-2.1+deb8u4_all.deb
a981363f5eb2a187dfc020d0b65e2c5e 594974 vcs optional git-email_2.1.4-2.1+deb8u4_all.deb
7b8f582071cdb83d568ab87f8e266530 766530 vcs optional git-gui_2.1.4-2.1+deb8u4_all.deb
740cc0a19ead989e1bc23f6104c9cc42 695016 vcs optional gitk_2.1.4-2.1+deb8u4_all.deb
fcc7f050ea7be35d292f1199c7afa3fb 579862 vcs optional gitweb_2.1.4-2.1+deb8u4_all.deb
14418d5c578b0e668d5e09860bd3c87e 575304 vcs optional git-all_2.1.4-2.1+deb8u4_all.deb
244b272faeb0da43364bd4e6d7f224c1 594944 vcs optional git-el_2.1.4-2.1+deb8u4_all.deb
668d31edf55474638ad3fb7bf914d7b1 1267352 doc optional git-man_2.1.4-2.1+deb8u4_all.deb
8eb2745bf81e67b4df9b7d1cca20d137 1498 vcs optional git-core_2.1.4-2.1+deb8u4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJZjHyOAAoJEN/Gce6zM/olDEIQAKuG/367B+E8UE23xIYyDl7X
3PiovkOFsn4np113yXqvH52khmdeBPYMmYrDvQBNmJRxyUH7UUD0apO4TaoirC58
fO8/x6DHPmDTpnG5yGuD3I1AzZgMdYdIWNzfKo/TcqJCavYIX1xzqEl3D13gi67E
PjkXQlfuh3PDB9a97dQ0ZVvEk5/jgeY/xDDxy6vF0z6V2PC6PbjqyTOMuuk/TBTp
SLuoMn/9bTRRfE8CYAIFocggZ7yOoLyA3B+LTRU2oSWqZ+SoQcuROGkdMhpIYqem
sbtX2pC9TTADYyEPHa+/Q+YS+iKO0dVl/FwmuLVMg2FYRdtxBhOR0RrZVHRbCitV
HHryEYwCIR/fPtHQAFKyZeu1iyUD3oRd6+gB+9/A1vYN6sfliQZNEkRH3QbiDrig
lKF4tugxZ8jf9gupPLtSq2KUaC+Gv5C3enTDDiRc7I2QgQdD+0PRh7NbC+9LcSnT
5LmNwhUDb2gYemX+YpV8ukZiKsFIgMm43UwlwEzad90IXkWxuYJ+Qq0bYj1X8JFT
EFXGTMvcwuXQNjzQwu6IHfiBIQ2eCqHV1H1TTAgnxUWK1ywZiGpW2ZZcrc3+qiDH
kxnUTmiczM7vZX2reajPnbTyQk/5k/n1d8kksHySr1SYdPOUJxtPFpqUwn43G4j3
LkoOt1tzY9yujoPHIeC8
=VUqP
-----END PGP SIGNATURE-----