Accepted git 1:2.1.4-2.1+deb8u6 (source amd64 all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 28 May 2018 16:30:30 -0700
Source: git
Binary: git git-man git-core git-doc git-arch git-cvs git-svn git-mediawiki git-email git-daemon-run git-daemon-sysvinit git-gui gitk git-el gitweb git-all
Architecture: source amd64 all
Version: 1:2.1.4-2.1+deb8u6
Distribution: jessie-security
Urgency: high
Maintainer: Gerrit Pape <pape@smarden.org>
Changed-By: Jonathan Nieder <jrnieder@gmail.com>
Description:
git - fast, scalable, distributed revision control system
git-all - fast, scalable, distributed revision control system (all subpacka
git-arch - fast, scalable, distributed revision control system (arch interop
git-core - fast, scalable, distributed revision control system (obsolete)
git-cvs - fast, scalable, distributed revision control system (cvs interope
git-daemon-run - fast, scalable, distributed revision control system (git-daemon s
git-daemon-sysvinit - fast, scalable, distributed revision control system (git-daemon s
git-doc - fast, scalable, distributed revision control system (documentatio
git-el - fast, scalable, distributed revision control system (emacs suppor
git-email - fast, scalable, distributed revision control system (email add-on
git-gui - fast, scalable, distributed revision control system (GUI)
git-man - fast, scalable, distributed revision control system (manual pages
git-mediawiki - fast, scalable, distributed revision control system (MediaWiki in
git-svn - fast, scalable, distributed revision control system (svn interope
gitk - fast, scalable, distributed revision control system (revision tre
gitweb - fast, scalable, distributed revision control system (web interfac
Changes:
git (1:2.1.4-2.1+deb8u6) jessie-security; urgency=high
.
* Fix CVE-2018-11235, arbitrary code execution via submodule names
in .gitmodules file:
- submodule: verify submodule names as paths
- fsck: drop inode-sorting code
- fsck: simplify ".git" check
- fsck: fsck blob data
- fsck: detect gitmodules files
- fsck: check .gitmodules content
- fsck: call fsck_finish after fscking objects
- unpack-objects: call fsck_finish after fscking objects
- index-pack: check .gitmodules files with --strict
* Fix CVE-2018-11233, out-of-bounds read when validating NTFS paths:
- is_ntfs_dotgit: use a size_t for traversing string
* Do not allow .gitmodules to be a symlink:
- is_hfs_dotgit: loosen over-eager match of \u{..47}
- is_hfs_dotgit: match other .git* files
- is_ntfs_dotgit: match other .git* files
- is_{hfs,ntfs}_dotgitmodules: add tests
- skip_prefix: add case-insensitive variant
- verify_path: drop clever fallthrough
- verify_dotfile: mention case-insensitivity in comment
- update-index: stat updated files earlier
- verify_path: disallow .gitmodules symlinks
- fsck: complain when .gitmodules is a symlink
.
Thanks to Brandon Williams, Etienne Stalmans, and Jeff King for
discovering and reporting these vulnerabilities and to Jeff King and
Johannes Schindelin for fixing them.
.
* Prevent "git apply" without --index from escaping the current
directory (compare GNU patch's CVE-2015-1196):
- apply: reject input that touches outside the working area
- apply: do not read from the filesystem under --index
- apply: do not read from beyond a symbolic link
- apply: do not touch a file beyond a symbolic link
.
Thanks to Josh Boyer for reporting this vulnerability and Junio C
Hamano for fixing it.
Checksums-Sha1:
d5a0e4a7f15a5d0037da1c2b80cd295f89cd7dd6 2846 git_2.1.4-2.1+deb8u6.dsc
91ea7b59ac1c30e24eff69cde6447a546ba44cf7 512872 git_2.1.4-2.1+deb8u6.debian.tar.xz
cb5526fd6a4bea08baee54427dd420118a618b39 3707370 git_2.1.4-2.1+deb8u6_amd64.deb
c5b2ef28b60a8340661b6b87089a4fedeadfa0fb 1410228 git-doc_2.1.4-2.1+deb8u6_all.deb
194893f090be252647d944b370a749a08b781f73 589468 git-arch_2.1.4-2.1+deb8u6_all.deb
e54cc09f0546cd90e5fd81ce33abfe0bfdf1b5b9 639114 git-cvs_2.1.4-2.1+deb8u6_all.deb
88e0eb8cdd583cb3f50f79f3821e6a7c03f9e92e 663158 git-svn_2.1.4-2.1+deb8u6_all.deb
a39381d435420a5b76794e755a76f50acb19359a 591804 git-mediawiki_2.1.4-2.1+deb8u6_all.deb
bdb92c3c31791c63144adaabc4cd4ac64b759bed 577758 git-daemon-run_2.1.4-2.1+deb8u6_all.deb
0817a205820132629486be7ef77d8c7e6bb9dc16 578724 git-daemon-sysvinit_2.1.4-2.1+deb8u6_all.deb
7de2d8f02ea30d312331cbb620337ff8f34d3c39 595772 git-email_2.1.4-2.1+deb8u6_all.deb
15b6e7ff1dd17f622ef02821a070de95497056b2 767112 git-gui_2.1.4-2.1+deb8u6_all.deb
99b5ff26800337e44c7c31f05b40d06c9a3b029f 695764 gitk_2.1.4-2.1+deb8u6_all.deb
b15cb1d1a5842182e5843950dede4759a4c80d7e 580634 gitweb_2.1.4-2.1+deb8u6_all.deb
0b85fbbd0d66c63ffda2887b273afc89514f99f5 576068 git-all_2.1.4-2.1+deb8u6_all.deb
dec823cd3e901ed183a9b232be26bc109ce90a90 595716 git-el_2.1.4-2.1+deb8u6_all.deb
42e0871b9b3ed3c7db84d9791b3f83f2d6f2ef18 1268748 git-man_2.1.4-2.1+deb8u6_all.deb
6e324d380d546e1f25f4ef01aab53bc1c489a411 1506 git-core_2.1.4-2.1+deb8u6_all.deb
Checksums-Sha256:
15400085501045140f322a3ce5579015a911571014d59cafd95f0bf982b0fc64 2846 git_2.1.4-2.1+deb8u6.dsc
782cb4ff810ca086d228711a1e3f0b5d743d9ba5dc7c221cb2bb596d1dd75c40 512872 git_2.1.4-2.1+deb8u6.debian.tar.xz
5a96fae0a234fc1e96da4911182917e82b05d2b3d47ef41b7ebcf25c7d7ebbeb 3707370 git_2.1.4-2.1+deb8u6_amd64.deb
1271670a62eea8322b635c88f334e95cac342fbc905c2f9de8c6e146176403d3 1410228 git-doc_2.1.4-2.1+deb8u6_all.deb
2315d5c2e2d1025a52a08963fabebf2c12251daa93c5a5e3d3ede8f713fbe880 589468 git-arch_2.1.4-2.1+deb8u6_all.deb
592735966d2f4f6a923255ccbb446f75de62920fe129ba79e26ae6218b8b01b2 639114 git-cvs_2.1.4-2.1+deb8u6_all.deb
280613bd15e2c4c55624bb81667c6fe250f07b384155684d2239f9c76961479c 663158 git-svn_2.1.4-2.1+deb8u6_all.deb
d487a82c38caf4531702ee3936720e6b1685df663ce11734978bcfd5aaf59b63 591804 git-mediawiki_2.1.4-2.1+deb8u6_all.deb
89ef20af4eba40c473e45290ce14177fe25517fc8532d2c5e3144d354cd7075d 577758 git-daemon-run_2.1.4-2.1+deb8u6_all.deb
80a8ab5f5174745690654ea5d26cbc2f2ef2b923b1bac9e34cea8f2774ae56d1 578724 git-daemon-sysvinit_2.1.4-2.1+deb8u6_all.deb
4afbac1a3a27bd7c891b8d161faba8fe13d1f187e6436057027a2865393aa827 595772 git-email_2.1.4-2.1+deb8u6_all.deb
f2efb2e64ff4fded8b834933b0ed69ba1acb77b9dacdc61ff3f2f155fbc3147a 767112 git-gui_2.1.4-2.1+deb8u6_all.deb
c57edf64b0bd41808b9300af2b78206fe93f8f6af5d7f8e910ff18dd94b8eec4 695764 gitk_2.1.4-2.1+deb8u6_all.deb
bcd61bb9bb1d469993e91f56e688fba000b4eb69bdd404ec67686cf3cc9b3d89 580634 gitweb_2.1.4-2.1+deb8u6_all.deb
00d7d43ff7bb204481836a2203fe5d7ecc4172e2bcf5a9ab1639fe5680630c3f 576068 git-all_2.1.4-2.1+deb8u6_all.deb
d4f83a457e05747a2385c2b0b113d557ccfeeb74ab623eb97a8fa3941d5ff03b 595716 git-el_2.1.4-2.1+deb8u6_all.deb
ac65d3741db47478d8f132826aa4bf72006e31eedda269601567086e033ebd47 1268748 git-man_2.1.4-2.1+deb8u6_all.deb
5cc6076919b007a664091835916242d38aa8a4a91ff2478327ec3a11e56aea72 1506 git-core_2.1.4-2.1+deb8u6_all.deb
Files:
d8b37d26eb8c900867ba4c949bfe50f4 2846 vcs optional git_2.1.4-2.1+deb8u6.dsc
a94cd99c03989617b3ca588d4b811d3f 512872 vcs optional git_2.1.4-2.1+deb8u6.debian.tar.xz
0b87955ff4649283cd9709cce1198b48 3707370 vcs optional git_2.1.4-2.1+deb8u6_amd64.deb
2a91b2efbd56a189eb0cb4e77cf3866a 1410228 doc optional git-doc_2.1.4-2.1+deb8u6_all.deb
de223fed6974161fbd59d8dad4fdd992 589468 vcs optional git-arch_2.1.4-2.1+deb8u6_all.deb
a6abf6b5b4ac0b87b0d37147e8f1cfff 639114 vcs optional git-cvs_2.1.4-2.1+deb8u6_all.deb
c6bd0f7709078b32d6f47fab2f8fe5fb 663158 vcs optional git-svn_2.1.4-2.1+deb8u6_all.deb
d4ddda1116f96461b34be884aba89416 591804 vcs optional git-mediawiki_2.1.4-2.1+deb8u6_all.deb
09c69f9a9278bd2b9e05d45a0e39a661 577758 vcs optional git-daemon-run_2.1.4-2.1+deb8u6_all.deb
802fbd17cc329b40acbe47ff5c1083b9 578724 vcs extra git-daemon-sysvinit_2.1.4-2.1+deb8u6_all.deb
7a5f11a9b9a293183dc5e8bcd8164337 595772 vcs optional git-email_2.1.4-2.1+deb8u6_all.deb
d7e1c2b252a8c91092599b921c135a5d 767112 vcs optional git-gui_2.1.4-2.1+deb8u6_all.deb
c4078022b52d5169d5456a8bd3f488e5 695764 vcs optional gitk_2.1.4-2.1+deb8u6_all.deb
3de350c42369f29f694088b9777b8f46 580634 vcs optional gitweb_2.1.4-2.1+deb8u6_all.deb
2feb0811bea15e916687963e6b81060b 576068 vcs optional git-all_2.1.4-2.1+deb8u6_all.deb
62dcae27d554883964915e12787b8d05 595716 vcs optional git-el_2.1.4-2.1+deb8u6_all.deb
226ea69f8d0739498ce404ea5f5aa5f3 1268748 doc optional git-man_2.1.4-2.1+deb8u6_all.deb
492ab5fe48928f16429659ca6c5057d8 1506 vcs optional git-core_2.1.4-2.1+deb8u6_all.deb
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCAAxFiEEUh5Y8X6W1xKqD/EC38Zx7rMz+iUFAlsMpu0THGpybmllZGVy
QGdtYWlsLmNvbQAKCRDfxnHuszP6JXqeD/4uHymje2d7SXcErgmoMLLiOfrjszHg
p7oKA24yNcMMvscrBnmyCScOk+YnDpWvbjP7+G1epT8+2H67sKmYWIYYqBeIae7q
wvE+1d8KSi5DuKyrFK6ljxFhy02OxZKxSK2ClcBHocPTsNkul1pm18/QlDKyIYwy
tVxYDxFxshNylL2dXsuYclY8k6gARQ8v7P3hpuY1lOWA1y1okYqpUgFZ9d0xDA2P
cW05GYxtzDhxNVcQzk/tEBUL8i8ng95Tb/466z7OyiFfWU7M9RzyXm0pmKrtMxEV
hnYvOWQLxIjVRINf6+7THHRWYgf4BCQto4J5ri4epc3VW+TC0ILGCQ8WreeuDAys
MpGiP/LhIxfaWKiq5Vkh93RJTVaKh6lSObA5grG6Cki2xM1glmBL9iqpbBgAnsgj
7aU7U4XqDOfvF921Sn8ZZQSKI/cdpVrvwsbBeJKLw9YLfSqPcah6uTezJ8u90apt
9dYb0MntNnybtsU7fv6YOUoB6V0h2anurM4v95Brypc+um/TTMoswbkxSqTLRe8t
SmhyJPIf69A5QSN2w4r9D/PzT+TOhIULBUT7zThm+nAXzhZhXcECrd59lGrFA0jT
c/Ifd1uDuFK/3nXA4uROcqDp1IKQwj2P6wc4+v0D6GcfN/6pk6pA5Up5+eC+Frkh
HVevS8RU2LuSYw==
=VYmN
-----END PGP SIGNATURE-----