Accepted git 1:2.11.0-3+deb9u3 (source all amd64) into proposed-updates->stable-new, proposed-updates
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 27 May 2018 10:48:46 -0700
Source: git
Binary: git git-man git-core git-doc git-arch git-cvs git-svn git-mediawiki git-email git-daemon-run git-daemon-sysvinit git-gui gitk git-el gitweb git-all
Architecture: source all amd64
Version: 1:2.11.0-3+deb9u3
Distribution: stretch-security
Urgency: high
Maintainer: Gerrit Pape <pape@smarden.org>
Changed-By: Jonathan Nieder <jrnieder@gmail.com>
Description:
git - fast, scalable, distributed revision control system
git-all - fast, scalable, distributed revision control system (all subpacka
git-arch - fast, scalable, distributed revision control system (arch interop
git-core - fast, scalable, distributed revision control system (obsolete)
git-cvs - fast, scalable, distributed revision control system (cvs interope
git-daemon-run - fast, scalable, distributed revision control system (git-daemon s
git-daemon-sysvinit - fast, scalable, distributed revision control system (git-daemon s
git-doc - fast, scalable, distributed revision control system (documentatio
git-el - fast, scalable, distributed revision control system (emacs suppor
git-email - fast, scalable, distributed revision control system (email add-on
git-gui - fast, scalable, distributed revision control system (GUI)
git-man - fast, scalable, distributed revision control system (manual pages
git-mediawiki - fast, scalable, distributed revision control system (MediaWiki re
git-svn - fast, scalable, distributed revision control system (svn interope
gitk - fast, scalable, distributed revision control system (revision tre
gitweb - fast, scalable, distributed revision control system (web interfac
Changes:
git (1:2.11.0-3+deb9u3) stretch-security; urgency=high
.
* Fix CVE-2018-11235, arbitrary code execution via submodule names
in .gitmodules file:
- submodule: verify submodule names as paths
- fsck: simplify ".git" check
- fsck: fsck blob data
- fsck: detect .gitmodules files
- fsck: check .gitmodules content
- fsck: call fsck_finish after fscking objects
- unpack-objects: call fsck_finish after fscking objects
- index-pack: check .gitmodules files with --strict
* Fix CVE-2018-11233, out-of-bounds read when validing NTFS paths:
- is_ntfs_dotgit: use a size_t for traversing string
* Do not allow .gitmodules to be a symlink:
- is_hfs_dotgit: match other .git* files
- is_ntfs_dotgit: match other .git* files
- is_{hfs,ntfs}_dotgitmodules: add tests
- skip_prefix: add case-insensitive variant
- verify_path: drop clever fallthrough
- verify_dotfile: mention case-insensitivity in comment
- update-index: stat updated files earlier
- verify_path: disallow .gitmodules symlinks
- fsck: complain when .gitmodules is a symlink
* debian/rules: make the new test executable.
.
Thanks to Brandon Williams, Etienne Stalmans, and Jeff King for
discovering and reporting these vulnerabilities and to Jeff King
and Johannes Schindelin for fixing them.
Checksums-Sha1:
7b6461821fdc926cc92e914e87d0d47bed4f3871 2944 git_2.11.0-3+deb9u3.dsc
634da72ac1426f0fe03edb372356f6dbd26c6ebe 549420 git_2.11.0-3+deb9u3.debian.tar.xz
bf18da79f0df34f09cb4a6784843242ddefcff60 671966 git-all_2.11.0-3+deb9u3_all.deb
4f432b4a43d780c0951641dad001c2337127d38f 684608 git-arch_2.11.0-3+deb9u3_all.deb
a485123331427f90ca78978ecab29bc999ed3125 1416 git-core_2.11.0-3+deb9u3_all.deb
4aa4f49a483bc0111bb82f32e9ccd606ce884d4b 734904 git-cvs_2.11.0-3+deb9u3_all.deb
65205589d5b153d5025db84e736ec6e302ada09d 673494 git-daemon-run_2.11.0-3+deb9u3_all.deb
43b88ccaa1f1a2b1477c477df53b112545adfe71 674672 git-daemon-sysvinit_2.11.0-3+deb9u3_all.deb
dd64faa9e57b0e1373f54b5af04309d482a3f9c8 30248568 git-dbgsym_2.11.0-3+deb9u3_amd64.deb
5df77faeb25a38aee2e4654e8649040593bee576 1534928 git-doc_2.11.0-3+deb9u3_all.deb
4fa93487f1fdb72b96f300db5897b803f0bf2722 691520 git-el_2.11.0-3+deb9u3_all.deb
47edc321eaafae7c5117a5185d543402227318db 693752 git-email_2.11.0-3+deb9u3_all.deb
bb5980cec8c4db9723635fd06646fea9408836e8 880748 git-gui_2.11.0-3+deb9u3_all.deb
36aab5fc75160035b9ae8c65c5bfcc52846a9e55 1432972 git-man_2.11.0-3+deb9u3_all.deb
7b27aea91e8f48693139524e6c3f106dab60f418 686860 git-mediawiki_2.11.0-3+deb9u3_all.deb
2d041cb583955267798ff9a876ddc682ccc2a475 756696 git-svn_2.11.0-3+deb9u3_all.deb
2e0c47d590ae21b49a1f9480b1637b69f4de6be5 12654 git_2.11.0-3+deb9u3_amd64.buildinfo
1dfd769f883e0875ef3327b3dc245bfebcd0afa1 4163378 git_2.11.0-3+deb9u3_amd64.deb
5be179311bb40e77b5210a72814f32a2ee2929e1 798012 gitk_2.11.0-3+deb9u3_all.deb
fa817131615eba93afe269aadea3dedd5d7964c0 676244 gitweb_2.11.0-3+deb9u3_all.deb
Checksums-Sha256:
053ab7b47b8a40ca6ec1449c750396df578651e178c1bbedc2f154d53e9b3203 2944 git_2.11.0-3+deb9u3.dsc
df8dbe103d6ae8b210280fd2f344ad3dee5c718bd2769278544874af38f011a4 549420 git_2.11.0-3+deb9u3.debian.tar.xz
f4596eb30b26f61bc6e1f21e336df05bdfd1cdd9c5663ff04d40e6eedc18987f 671966 git-all_2.11.0-3+deb9u3_all.deb
d41fc2fe8c384d2f0b1fee2163ef476acfe2deac4429ec4f2f520ea26f484572 684608 git-arch_2.11.0-3+deb9u3_all.deb
5a6ac3039a3bccb1f4d06b867946c7dafe4f0b33a4f03f0bf2495bdfb2153951 1416 git-core_2.11.0-3+deb9u3_all.deb
121dd2e1e88c6a9f83819563eb68fb14e605a61cde046def60424f9d70fe9350 734904 git-cvs_2.11.0-3+deb9u3_all.deb
43564fb38fff02158ee184c68ca9036d174c1d9502a1473ce1eea9788e2744b7 673494 git-daemon-run_2.11.0-3+deb9u3_all.deb
46b91dcd45c2c9c3749573511a3f8d2ed6ac853138178565c10d9d8d9e37a720 674672 git-daemon-sysvinit_2.11.0-3+deb9u3_all.deb
c73bdf3a0577b5266142e309d90d4c883437a0a32ecbdcecc554342ef2325fba 30248568 git-dbgsym_2.11.0-3+deb9u3_amd64.deb
f985f1b2a311b7ebd240db089863d7b8dc440e60a3d768423481476ef949bac9 1534928 git-doc_2.11.0-3+deb9u3_all.deb
bef1d98fefb64c74cb889017e6670081884d1168772cfb63b7abbde99d69063f 691520 git-el_2.11.0-3+deb9u3_all.deb
c8264007bc70f7176c26d021ca8c98c5a1d77bb0363bc4fb678a6b2acc2ffe01 693752 git-email_2.11.0-3+deb9u3_all.deb
7720cca3d896c0eb5a91b131756a2ed62ee4b2c321882a58a1b5bd39993b5183 880748 git-gui_2.11.0-3+deb9u3_all.deb
c357873ed8f689912c3afe92df71dbd19da7d0dd061039e4339556f74d30bc2d 1432972 git-man_2.11.0-3+deb9u3_all.deb
0dabd7865087b8f07f42226aea982c14601fd323564b9710a3466bf803aedc6f 686860 git-mediawiki_2.11.0-3+deb9u3_all.deb
3ff90685ed293b5a523b744c2cd61b67f792d03314a4da05980ef61bf0f4444b 756696 git-svn_2.11.0-3+deb9u3_all.deb
8931c829642a150392a5776007667fb9369e050f6a5d1d173d62d442a6b5cbe4 12654 git_2.11.0-3+deb9u3_amd64.buildinfo
b3165e6d1acf9c32d322057374f800273a3cc7a55088684e089b0779b2439410 4163378 git_2.11.0-3+deb9u3_amd64.deb
9a564ff6c11f2d8132c547cff7a91bcef9153065a1d6ec558f0390204b3fe5f5 798012 gitk_2.11.0-3+deb9u3_all.deb
35f85a210d4b5a99c9a72c23371b27086532c61db55ac672b569f73335f88347 676244 gitweb_2.11.0-3+deb9u3_all.deb
Files:
ae5179cfa7004c45f6bb3b146e03cbd3 2944 vcs optional git_2.11.0-3+deb9u3.dsc
dfaafd34ef87d0b43277f2a11e79e437 549420 vcs optional git_2.11.0-3+deb9u3.debian.tar.xz
047984bff6cae41255b90c0c72c5b38a 671966 vcs optional git-all_2.11.0-3+deb9u3_all.deb
b8417c49bb2eb4e23a8104c1043ab2ba 684608 vcs optional git-arch_2.11.0-3+deb9u3_all.deb
6426cf4403bed125619f785ba6aac9e6 1416 vcs optional git-core_2.11.0-3+deb9u3_all.deb
4b329b7f6400f78a901f87c1dfa1d827 734904 vcs optional git-cvs_2.11.0-3+deb9u3_all.deb
3a9b8d0611b62766f18646b3312b9331 673494 vcs optional git-daemon-run_2.11.0-3+deb9u3_all.deb
04b93bc99e92b3fbc49f40ceb5c3b525 674672 vcs extra git-daemon-sysvinit_2.11.0-3+deb9u3_all.deb
cb953cc38f4880d12da8be29dc858cb1 30248568 debug extra git-dbgsym_2.11.0-3+deb9u3_amd64.deb
180801e7a312f66223eb060f8685e2c7 1534928 doc optional git-doc_2.11.0-3+deb9u3_all.deb
5f29b539fabfb975b42cd4b8b0e77412 691520 vcs optional git-el_2.11.0-3+deb9u3_all.deb
26bcd4954e7c6caad0fa419dd0581a6d 693752 vcs optional git-email_2.11.0-3+deb9u3_all.deb
0e31048f0330889de7ae45e6c7463c8e 880748 vcs optional git-gui_2.11.0-3+deb9u3_all.deb
ad0d25100aa92443650ec4d820c89bd3 1432972 doc optional git-man_2.11.0-3+deb9u3_all.deb
1f1dc8caf46daa759487cb04f3e3cb25 686860 vcs optional git-mediawiki_2.11.0-3+deb9u3_all.deb
eb546a495efcb20eaa976de1cce2a47e 756696 vcs optional git-svn_2.11.0-3+deb9u3_all.deb
3352b11407bb50b5abf7bad7b8dc98ba 12654 vcs optional git_2.11.0-3+deb9u3_amd64.buildinfo
bc67a648c9c14a07eba27fed5f1461f0 4163378 vcs optional git_2.11.0-3+deb9u3_amd64.deb
144611fe5c693a1c28267284776e2402 798012 vcs optional gitk_2.11.0-3+deb9u3_all.deb
77e404c9d30d07070994fa281974ad1c 676244 vcs optional gitweb_2.11.0-3+deb9u3_all.deb
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCAAxFiEEUh5Y8X6W1xKqD/EC38Zx7rMz+iUFAlsLAT0THGpybmllZGVy
QGdtYWlsLmNvbQAKCRDfxnHuszP6JaYdD/9fTtC2alx9KWlcMiRLO++EVjSqSGkt
FerQ34la3c4vKwhM2wwwvCTkXzywUHtqWgju5A2TWSI4c9Leth0brsLGVC0zOjiU
ILtsKmYZiLmlTi9cmaTFi2HSUUsQ1WNK/tA6YxriJfdMOSr5ELqMbWwErvaNfXiE
olyQQETjzpTvswXPiZ22PxNafS8vsx2Dv+Tr44aX8v+ap/zo3OZe5LtKrtJlP3qs
MWI0Jb4x/qSE85ec5YZb3XCHf+eKWAry8g5IKn5BxGEkKbbAkKKPZJfwDK04P3cn
vP2rrsGWQdH5dkI2QEHbqB5NEGt0NF2OGN95H1uNFhW/PHEw6C1FsbzBZCftqABl
M2c3HzLd/ezDLrT7GWCLJAymtSsdsXMc4f0fbvlIrdEeMi0dF2cRAwh15LedBE5k
GK24isJbAqh6YYbfTsrYzML7geQwbmwNBkCRol4cMSSiwLpowYIcmtO3BHQQR4dx
xDGVMujWmMsF4gaYqdjE402ounIDB96rFQwv7kOSZAdp+sosdGw2Zl2ArrfwM8pN
soCH3D0S7IhdTWBeEct4lmdPl3qmB9vXa8Ns14Muoj0NsfqSHNbQiFgDWhlEGIL/
gHq+09RJqzKrF2ROB8shzeHp4Z1oK3SSYb91zvHwbHD9NoHSrU8+p2GpPMQxlFKB
vlPUClbVXLIm7g==
=x+x+
-----END PGP SIGNATURE-----