GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Mon May 02, 2016 8:26 pm Post subject: [ GLSA 201605-01 ] Git |
|
|
Gentoo Linux Security Advisory
Title: Git: Multiple vulnerabilities (GLSA 201605-01)
Severity: normal
Exploitable: remote
Date: May 02, 2016
Bug(s): #562884, #577482
ID: 201605-01
Synopsis
Git contains multiple vulnerabilities that allow for the remote
execution of arbitrary code.
Background
Git is a free and open source distributed version control system
designed to handle everything from small to very large projects with
speed and efficiency.
Affected Packages
Package: dev-vcs/git
Vulnerable: < 2.7.3-r1
Unaffected: >= 2.7.3-r1
Architectures: All supported architectures
Description
Git is vulnerable to the remote execution of arbitrary code by cloning
repositories with large filenames or a large number of nested trees.
Additionally, some protocols within Git, such as git-remote-ext, can
execute arbitrary code found within URLs. These URLs that submodules use
may come from arbitrary sources (e.g., .gitmodules files in a remote
repository), and can effect those who enable recursive fetch. Restrict
the allowed protocols to well known and safe ones.
Impact
Remote attackers could execute arbitrary code on both client and server.
Workaround
There is no known workaround at this time.
Resolution
All Git users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-vcs/git-2.7.3-r1"
|
References
Buffer overflow in all
git versions before 2.7.1
CVE-2015-7545
CVE-2016-2315
CVE-2016-2324
|
|