Back to git PTS page

Accepted git 1:2.1.4-2.1+deb8u6 (source amd64 all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 28 May 2018 16:30:30 -0700
Source: git
Binary: git git-man git-core git-doc git-arch git-cvs git-svn git-mediawiki git-email git-daemon-run git-daemon-sysvinit git-gui gitk git-el gitweb git-all
Architecture: source amd64 all
Version: 1:2.1.4-2.1+deb8u6
Distribution: jessie-security
Urgency: high
Maintainer: Gerrit Pape <pape@smarden.org>
Changed-By: Jonathan Nieder <jrnieder@gmail.com>
Description:
 git        - fast, scalable, distributed revision control system
 git-all    - fast, scalable, distributed revision control system (all subpacka
 git-arch   - fast, scalable, distributed revision control system (arch interop
 git-core   - fast, scalable, distributed revision control system (obsolete)
 git-cvs    - fast, scalable, distributed revision control system (cvs interope
 git-daemon-run - fast, scalable, distributed revision control system (git-daemon s
 git-daemon-sysvinit - fast, scalable, distributed revision control system (git-daemon s
 git-doc    - fast, scalable, distributed revision control system (documentatio
 git-el     - fast, scalable, distributed revision control system (emacs suppor
 git-email  - fast, scalable, distributed revision control system (email add-on
 git-gui    - fast, scalable, distributed revision control system (GUI)
 git-man    - fast, scalable, distributed revision control system (manual pages
 git-mediawiki - fast, scalable, distributed revision control system (MediaWiki in
 git-svn    - fast, scalable, distributed revision control system (svn interope
 gitk       - fast, scalable, distributed revision control system (revision tre
 gitweb     - fast, scalable, distributed revision control system (web interfac
Changes:
 git (1:2.1.4-2.1+deb8u6) jessie-security; urgency=high
 .
   * Fix CVE-2018-11235, arbitrary code execution via submodule names
     in .gitmodules file:
     - submodule: verify submodule names as paths
     - fsck: drop inode-sorting code
     - fsck: simplify ".git" check
     - fsck: fsck blob data
     - fsck: detect gitmodules files
     - fsck: check .gitmodules content
     - fsck: call fsck_finish after fscking objects
     - unpack-objects: call fsck_finish after fscking objects
     - index-pack: check .gitmodules files with --strict
   * Fix CVE-2018-11233, out-of-bounds read when validating NTFS paths:
     - is_ntfs_dotgit: use a size_t for traversing string
   * Do not allow .gitmodules to be a symlink:
     - is_hfs_dotgit: loosen over-eager match of \u{..47}
     - is_hfs_dotgit: match other .git* files
     - is_ntfs_dotgit: match other .git* files
     - is_{hfs,ntfs}_dotgitmodules: add tests
     - skip_prefix: add case-insensitive variant
     - verify_path: drop clever fallthrough
     - verify_dotfile: mention case-insensitivity in comment
     - update-index: stat updated files earlier
     - verify_path: disallow .gitmodules symlinks
     - fsck: complain when .gitmodules is a symlink
 .
   Thanks to Brandon Williams, Etienne Stalmans, and Jeff King for
   discovering and reporting these vulnerabilities and to Jeff King and
   Johannes Schindelin for fixing them.
 .
   * Prevent "git apply" without --index from escaping the current
     directory (compare GNU patch's CVE-2015-1196):
     - apply: reject input that touches outside the working area
     - apply: do not read from the filesystem under --index
     - apply: do not read from beyond a symbolic link
     - apply: do not touch a file beyond a symbolic link
 .
   Thanks to Josh Boyer for reporting this vulnerability and Junio C
   Hamano for fixing it.
Checksums-Sha1:
 d5a0e4a7f15a5d0037da1c2b80cd295f89cd7dd6 2846 git_2.1.4-2.1+deb8u6.dsc
 91ea7b59ac1c30e24eff69cde6447a546ba44cf7 512872 git_2.1.4-2.1+deb8u6.debian.tar.xz
 cb5526fd6a4bea08baee54427dd420118a618b39 3707370 git_2.1.4-2.1+deb8u6_amd64.deb
 c5b2ef28b60a8340661b6b87089a4fedeadfa0fb 1410228 git-doc_2.1.4-2.1+deb8u6_all.deb
 194893f090be252647d944b370a749a08b781f73 589468 git-arch_2.1.4-2.1+deb8u6_all.deb
 e54cc09f0546cd90e5fd81ce33abfe0bfdf1b5b9 639114 git-cvs_2.1.4-2.1+deb8u6_all.deb
 88e0eb8cdd583cb3f50f79f3821e6a7c03f9e92e 663158 git-svn_2.1.4-2.1+deb8u6_all.deb
 a39381d435420a5b76794e755a76f50acb19359a 591804 git-mediawiki_2.1.4-2.1+deb8u6_all.deb
 bdb92c3c31791c63144adaabc4cd4ac64b759bed 577758 git-daemon-run_2.1.4-2.1+deb8u6_all.deb
 0817a205820132629486be7ef77d8c7e6bb9dc16 578724 git-daemon-sysvinit_2.1.4-2.1+deb8u6_all.deb
 7de2d8f02ea30d312331cbb620337ff8f34d3c39 595772 git-email_2.1.4-2.1+deb8u6_all.deb
 15b6e7ff1dd17f622ef02821a070de95497056b2 767112 git-gui_2.1.4-2.1+deb8u6_all.deb
 99b5ff26800337e44c7c31f05b40d06c9a3b029f 695764 gitk_2.1.4-2.1+deb8u6_all.deb
 b15cb1d1a5842182e5843950dede4759a4c80d7e 580634 gitweb_2.1.4-2.1+deb8u6_all.deb
 0b85fbbd0d66c63ffda2887b273afc89514f99f5 576068 git-all_2.1.4-2.1+deb8u6_all.deb
 dec823cd3e901ed183a9b232be26bc109ce90a90 595716 git-el_2.1.4-2.1+deb8u6_all.deb
 42e0871b9b3ed3c7db84d9791b3f83f2d6f2ef18 1268748 git-man_2.1.4-2.1+deb8u6_all.deb
 6e324d380d546e1f25f4ef01aab53bc1c489a411 1506 git-core_2.1.4-2.1+deb8u6_all.deb
Checksums-Sha256:
 15400085501045140f322a3ce5579015a911571014d59cafd95f0bf982b0fc64 2846 git_2.1.4-2.1+deb8u6.dsc
 782cb4ff810ca086d228711a1e3f0b5d743d9ba5dc7c221cb2bb596d1dd75c40 512872 git_2.1.4-2.1+deb8u6.debian.tar.xz
 5a96fae0a234fc1e96da4911182917e82b05d2b3d47ef41b7ebcf25c7d7ebbeb 3707370 git_2.1.4-2.1+deb8u6_amd64.deb
 1271670a62eea8322b635c88f334e95cac342fbc905c2f9de8c6e146176403d3 1410228 git-doc_2.1.4-2.1+deb8u6_all.deb
 2315d5c2e2d1025a52a08963fabebf2c12251daa93c5a5e3d3ede8f713fbe880 589468 git-arch_2.1.4-2.1+deb8u6_all.deb
 592735966d2f4f6a923255ccbb446f75de62920fe129ba79e26ae6218b8b01b2 639114 git-cvs_2.1.4-2.1+deb8u6_all.deb
 280613bd15e2c4c55624bb81667c6fe250f07b384155684d2239f9c76961479c 663158 git-svn_2.1.4-2.1+deb8u6_all.deb
 d487a82c38caf4531702ee3936720e6b1685df663ce11734978bcfd5aaf59b63 591804 git-mediawiki_2.1.4-2.1+deb8u6_all.deb
 89ef20af4eba40c473e45290ce14177fe25517fc8532d2c5e3144d354cd7075d 577758 git-daemon-run_2.1.4-2.1+deb8u6_all.deb
 80a8ab5f5174745690654ea5d26cbc2f2ef2b923b1bac9e34cea8f2774ae56d1 578724 git-daemon-sysvinit_2.1.4-2.1+deb8u6_all.deb
 4afbac1a3a27bd7c891b8d161faba8fe13d1f187e6436057027a2865393aa827 595772 git-email_2.1.4-2.1+deb8u6_all.deb
 f2efb2e64ff4fded8b834933b0ed69ba1acb77b9dacdc61ff3f2f155fbc3147a 767112 git-gui_2.1.4-2.1+deb8u6_all.deb
 c57edf64b0bd41808b9300af2b78206fe93f8f6af5d7f8e910ff18dd94b8eec4 695764 gitk_2.1.4-2.1+deb8u6_all.deb
 bcd61bb9bb1d469993e91f56e688fba000b4eb69bdd404ec67686cf3cc9b3d89 580634 gitweb_2.1.4-2.1+deb8u6_all.deb
 00d7d43ff7bb204481836a2203fe5d7ecc4172e2bcf5a9ab1639fe5680630c3f 576068 git-all_2.1.4-2.1+deb8u6_all.deb
 d4f83a457e05747a2385c2b0b113d557ccfeeb74ab623eb97a8fa3941d5ff03b 595716 git-el_2.1.4-2.1+deb8u6_all.deb
 ac65d3741db47478d8f132826aa4bf72006e31eedda269601567086e033ebd47 1268748 git-man_2.1.4-2.1+deb8u6_all.deb
 5cc6076919b007a664091835916242d38aa8a4a91ff2478327ec3a11e56aea72 1506 git-core_2.1.4-2.1+deb8u6_all.deb
Files:
 d8b37d26eb8c900867ba4c949bfe50f4 2846 vcs optional git_2.1.4-2.1+deb8u6.dsc
 a94cd99c03989617b3ca588d4b811d3f 512872 vcs optional git_2.1.4-2.1+deb8u6.debian.tar.xz
 0b87955ff4649283cd9709cce1198b48 3707370 vcs optional git_2.1.4-2.1+deb8u6_amd64.deb
 2a91b2efbd56a189eb0cb4e77cf3866a 1410228 doc optional git-doc_2.1.4-2.1+deb8u6_all.deb
 de223fed6974161fbd59d8dad4fdd992 589468 vcs optional git-arch_2.1.4-2.1+deb8u6_all.deb
 a6abf6b5b4ac0b87b0d37147e8f1cfff 639114 vcs optional git-cvs_2.1.4-2.1+deb8u6_all.deb
 c6bd0f7709078b32d6f47fab2f8fe5fb 663158 vcs optional git-svn_2.1.4-2.1+deb8u6_all.deb
 d4ddda1116f96461b34be884aba89416 591804 vcs optional git-mediawiki_2.1.4-2.1+deb8u6_all.deb
 09c69f9a9278bd2b9e05d45a0e39a661 577758 vcs optional git-daemon-run_2.1.4-2.1+deb8u6_all.deb
 802fbd17cc329b40acbe47ff5c1083b9 578724 vcs extra git-daemon-sysvinit_2.1.4-2.1+deb8u6_all.deb
 7a5f11a9b9a293183dc5e8bcd8164337 595772 vcs optional git-email_2.1.4-2.1+deb8u6_all.deb
 d7e1c2b252a8c91092599b921c135a5d 767112 vcs optional git-gui_2.1.4-2.1+deb8u6_all.deb
 c4078022b52d5169d5456a8bd3f488e5 695764 vcs optional gitk_2.1.4-2.1+deb8u6_all.deb
 3de350c42369f29f694088b9777b8f46 580634 vcs optional gitweb_2.1.4-2.1+deb8u6_all.deb
 2feb0811bea15e916687963e6b81060b 576068 vcs optional git-all_2.1.4-2.1+deb8u6_all.deb
 62dcae27d554883964915e12787b8d05 595716 vcs optional git-el_2.1.4-2.1+deb8u6_all.deb
 226ea69f8d0739498ce404ea5f5aa5f3 1268748 doc optional git-man_2.1.4-2.1+deb8u6_all.deb
 492ab5fe48928f16429659ca6c5057d8 1506 vcs optional git-core_2.1.4-2.1+deb8u6_all.deb

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCAAxFiEEUh5Y8X6W1xKqD/EC38Zx7rMz+iUFAlsMpu0THGpybmllZGVy
QGdtYWlsLmNvbQAKCRDfxnHuszP6JXqeD/4uHymje2d7SXcErgmoMLLiOfrjszHg
p7oKA24yNcMMvscrBnmyCScOk+YnDpWvbjP7+G1epT8+2H67sKmYWIYYqBeIae7q
wvE+1d8KSi5DuKyrFK6ljxFhy02OxZKxSK2ClcBHocPTsNkul1pm18/QlDKyIYwy
tVxYDxFxshNylL2dXsuYclY8k6gARQ8v7P3hpuY1lOWA1y1okYqpUgFZ9d0xDA2P
cW05GYxtzDhxNVcQzk/tEBUL8i8ng95Tb/466z7OyiFfWU7M9RzyXm0pmKrtMxEV
hnYvOWQLxIjVRINf6+7THHRWYgf4BCQto4J5ri4epc3VW+TC0ILGCQ8WreeuDAys
MpGiP/LhIxfaWKiq5Vkh93RJTVaKh6lSObA5grG6Cki2xM1glmBL9iqpbBgAnsgj
7aU7U4XqDOfvF921Sn8ZZQSKI/cdpVrvwsbBeJKLw9YLfSqPcah6uTezJ8u90apt
9dYb0MntNnybtsU7fv6YOUoB6V0h2anurM4v95Brypc+um/TTMoswbkxSqTLRe8t
SmhyJPIf69A5QSN2w4r9D/PzT+TOhIULBUT7zThm+nAXzhZhXcECrd59lGrFA0jT
c/Ifd1uDuFK/3nXA4uROcqDp1IKQwj2P6wc4+v0D6GcfN/6pk6pA5Up5+eC+Frkh
HVevS8RU2LuSYw==
=VYmN
-----END PGP SIGNATURE-----