-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 08 Aug 2017 23:49:17 -0700 Source: git Binary: git git-man git-core git-doc git-arch git-cvs git-svn git-mediawiki git-email git-daemon-run git-daemon-sysvinit git-gui gitk git-el gitweb git-all Architecture: source all amd64 Version: 1:2.11.0-3+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Gerrit Pape <pape@smarden.org> Changed-By: Jonathan Nieder <jrnieder@gmail.com> Description: git - fast, scalable, distributed revision control system git-all - fast, scalable, distributed revision control system (all subpacka git-arch - fast, scalable, distributed revision control system (arch interop git-core - fast, scalable, distributed revision control system (obsolete) git-cvs - fast, scalable, distributed revision control system (cvs interope git-daemon-run - fast, scalable, distributed revision control system (git-daemon s git-daemon-sysvinit - fast, scalable, distributed revision control system (git-daemon s git-doc - fast, scalable, distributed revision control system (documentatio git-el - fast, scalable, distributed revision control system (emacs suppor git-email - fast, scalable, distributed revision control system (email add-on git-gui - fast, scalable, distributed revision control system (GUI) git-man - fast, scalable, distributed revision control system (manual pages git-mediawiki - fast, scalable, distributed revision control system (MediaWiki re git-svn - fast, scalable, distributed revision control system (svn interope gitk - fast, scalable, distributed revision control system (revision tre gitweb - fast, scalable, distributed revision control system (web interfac Changes: git (1:2.11.0-3+deb9u1) stretch-security; urgency=high . * Fix CVE-2017-1000117, arbitrary code execution issues via URLs: - reject ssh hostname that begins with a dash - add test for hostname starting with dash to the testsuite - factor out "looks like command line option" check - reject dashed arguments to $GIT_PROXY_COMMAND - ssh:// and local URLs: reject path to repositories that look like command line options . Thanks to Joern Schneeweisz of Recurity Labs for discovering this vulnerability, Brian Neel at GitLab for reporting it to the Git project, and Junio Hamano and Jeff King for writing the patches to address it. Checksums-Sha1: 9b070cf3b850233dc6de3ccf4e816656e556ccf4 2901 git_2.11.0-3+deb9u1.dsc a1567e3b5ef586b931768bec5c7cb3f1c857d469 4197984 git_2.11.0.orig.tar.xz 2c6ecbfa3423e073eae80ac46e266750f77dbcb6 523448 git_2.11.0-3+deb9u1.debian.tar.xz 2c84473e27910000581ca49e67ec29f088a4dd70 671344 git-all_2.11.0-3+deb9u1_all.deb f7afee34aab9d7ec1681b08edf740d7c7e2c9cf1 683986 git-arch_2.11.0-3+deb9u1_all.deb f62e8725f56a0889f883a0c00eceff82acf99523 1414 git-core_2.11.0-3+deb9u1_all.deb 975d2613ffa2802543eb91ef826994c888f48245 734350 git-cvs_2.11.0-3+deb9u1_all.deb 0535eded245dc2f986a73b9b338625bf9a2c5e1e 672876 git-daemon-run_2.11.0-3+deb9u1_all.deb 0aebbed443afd6aac202e2669bf0056df060ba88 674038 git-daemon-sysvinit_2.11.0-3+deb9u1_all.deb 8383a83c47d894ba318834ab2fbfa6fe7f9d4fc6 30185810 git-dbgsym_2.11.0-3+deb9u1_amd64.deb 86a37a145844872b66ebc972d637118fabb51dd2 1533962 git-doc_2.11.0-3+deb9u1_all.deb bf14e6e52944c719042301d7ccf2b4b48cd97610 690880 git-el_2.11.0-3+deb9u1_all.deb 4b3546b6c3e6d12be430f5cd7c73daa4e6957775 693146 git-email_2.11.0-3+deb9u1_all.deb 87215385f6eb1e63f4be7b62563e34ba8b1e3037 880106 git-gui_2.11.0-3+deb9u1_all.deb 20091222ac22710eb2b0786504fc2844e351e523 1431874 git-man_2.11.0-3+deb9u1_all.deb d1cc1bc8c82a238994799abb1167bd52917bfc37 686246 git-mediawiki_2.11.0-3+deb9u1_all.deb 897f70e3b7d9be2b7d98dedb1a2d168e7e6bc63b 756082 git-svn_2.11.0-3+deb9u1_all.deb f8d6767d3060d005a4c41c5e3089d55e7b436402 11346 git_2.11.0-3+deb9u1_amd64.buildinfo a2b49894a121a32f3d529d7c8a740eef149189e8 4152454 git_2.11.0-3+deb9u1_amd64.deb be8b97b5e4e4577e339d303e745940d28f127bea 797342 gitk_2.11.0-3+deb9u1_all.deb 25358196bf162bd57e784d41b2421f1c1ebf3753 675612 gitweb_2.11.0-3+deb9u1_all.deb Checksums-Sha256: 1b2244ce374d402ae6c4389be8e19d7189bc075f7790798dc8159901a4684a36 2901 git_2.11.0-3+deb9u1.dsc 7e7e8d69d494892373b87007674be5820a4bc1ef596a0117d03ea3169119fd0b 4197984 git_2.11.0.orig.tar.xz c6f95ed3a3a1804c1ee17e554d42c1a0203d16dd9a30647a798128e9f242cc3b 523448 git_2.11.0-3+deb9u1.debian.tar.xz 6ad6d99bf871e22f49a6111794d7a628aace13be9598206b364f9a75443abca4 671344 git-all_2.11.0-3+deb9u1_all.deb 9d8a011d9aafb20415f8c095ba3dcdc00871f0cd9e457f659fce79588934fc93 683986 git-arch_2.11.0-3+deb9u1_all.deb 3061095f8c38d6c88d50b4c79d2c376e478619ef345cbfd293dfdb4079e82007 1414 git-core_2.11.0-3+deb9u1_all.deb 957b83187ea1511d16f7999b133a2fbd6a6cd55d0d34e59e75381e48a4eb981e 734350 git-cvs_2.11.0-3+deb9u1_all.deb ae7805394dd615646a68f4880c29e80fd94469b3d02361e7f79ab9c4df1a0e19 672876 git-daemon-run_2.11.0-3+deb9u1_all.deb 5d014aa2a7bd5c8dd0762b7baac1005d4ceacb1dafb9f88dc82c01317c8403dc 674038 git-daemon-sysvinit_2.11.0-3+deb9u1_all.deb affd1e7407af5ae0bad96a76d8a90fc42133a5e42caf14c359cf8f8340f7d327 30185810 git-dbgsym_2.11.0-3+deb9u1_amd64.deb 3d245b0904cb7f8e0040f566905508f857b8fdddbce49a5f57e83a1be4cc4e56 1533962 git-doc_2.11.0-3+deb9u1_all.deb 9888316eb2376845c35a3c6314b302ccf0eb8c6adaccc6654839ed8528014b78 690880 git-el_2.11.0-3+deb9u1_all.deb 52c7b09463da498136917224a286371cbe8e61b4b9619c795bb3ae382a9c4d41 693146 git-email_2.11.0-3+deb9u1_all.deb 0c0282fb3d212b8e202d6150685786d3ef5e72b7202df65410d47a91947621f3 880106 git-gui_2.11.0-3+deb9u1_all.deb 64ac329d45aed6f47d5ab5c7db6ad75a7fccb6fb10a3661ed551b43b8c7422f5 1431874 git-man_2.11.0-3+deb9u1_all.deb 826fc4ef05531b388ca805220bce172d74a5d9059433f40928ad8aa40ff9d120 686246 git-mediawiki_2.11.0-3+deb9u1_all.deb 867faba6221c2a7488179c81f1195893c9aaa35be523e6a5ecfb88a2b294fb3e 756082 git-svn_2.11.0-3+deb9u1_all.deb 3a5dd566729f5d29594fded356f0be73f5d80cda4c79074fc84d33ead43b2a7b 11346 git_2.11.0-3+deb9u1_amd64.buildinfo c5b268e97303dcc19d7db3ac8ba30c9f72c8cf11be9ad70c9866f2781b2410d2 4152454 git_2.11.0-3+deb9u1_amd64.deb 7168e96166e475aab9936c388aee08cb71c16717b6eabfdc8cad76dc3bcf57a6 797342 gitk_2.11.0-3+deb9u1_all.deb fab358a953cd2efcd4c2fb9e528e3a55b6acd4d3d52b9eaae0c19ad2342e40b0 675612 gitweb_2.11.0-3+deb9u1_all.deb Files: ccc76c996aa260ba4d08c5c3da2e8f6d 2901 vcs optional git_2.11.0-3+deb9u1.dsc dd4e3360e28aec5bb902fb34dd7fce3b 4197984 vcs optional git_2.11.0.orig.tar.xz f4b9140e2b512e6702004ef5dc370661 523448 vcs optional git_2.11.0-3+deb9u1.debian.tar.xz 5b535319ee1f86f418430813863cd922 671344 vcs optional git-all_2.11.0-3+deb9u1_all.deb e3b0f7109b778cc5cab252b518b28d0f 683986 vcs optional git-arch_2.11.0-3+deb9u1_all.deb eba2a0226dd6a220f73180c2fdc1e5b9 1414 vcs optional git-core_2.11.0-3+deb9u1_all.deb 02835f79decd9d500a79701559a67d5b 734350 vcs optional git-cvs_2.11.0-3+deb9u1_all.deb d0243727af977adc67b287179104191c 672876 vcs optional git-daemon-run_2.11.0-3+deb9u1_all.deb 92712f9cb4d0c4ed295541498e1dbade 674038 vcs extra git-daemon-sysvinit_2.11.0-3+deb9u1_all.deb d7097b2010ace34fdcb6879321a9cde8 30185810 debug extra git-dbgsym_2.11.0-3+deb9u1_amd64.deb 571ecaa40bd44b7d76f6cab8b63edac1 1533962 doc optional git-doc_2.11.0-3+deb9u1_all.deb 74d4296b7e6be5d6f8c122e57f5258e4 690880 vcs optional git-el_2.11.0-3+deb9u1_all.deb 96bee4cca59e47e583796122edcf9693 693146 vcs optional git-email_2.11.0-3+deb9u1_all.deb 1d4f3ca168f0bcb4a74811d2cb5fd4ee 880106 vcs optional git-gui_2.11.0-3+deb9u1_all.deb ee87b387d5f5a634319d020f5b43dfd1 1431874 doc optional git-man_2.11.0-3+deb9u1_all.deb d3c976327d2b52203a87bba71cb406ec 686246 vcs optional git-mediawiki_2.11.0-3+deb9u1_all.deb 9d57fa601dc2a1e589ad231e800aa0b7 756082 vcs optional git-svn_2.11.0-3+deb9u1_all.deb 3ba2d5dd7836320e2e297ec4ad27037c 11346 vcs optional git_2.11.0-3+deb9u1_amd64.buildinfo 0b5bd7be6a4c52d1c2682b1b44a113e4 4152454 vcs optional git_2.11.0-3+deb9u1_amd64.deb f847cbfca4c9cbd2e1c0430087f4e1a4 797342 vcs optional gitk_2.11.0-3+deb9u1_all.deb 9bbbb37b8c6e3bd139227d8826338616 675612 vcs optional gitweb_2.11.0-3+deb9u1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJZi/VlAAoJEN/Gce6zM/olIT4P/0MXXdWBjXOcDR+hQIeIyCiY 9L5//IkxFajoAIywi63p+7cbUTI+qb6YGxJUjdePY4dhlIYbauzVV3wZmnHK45RV v1pKsXk8ELweBuP3on3rWTPqnJf+tapc15uPWwda2ioApp/RZG3T/I7LbH/gwYqW 4z7ImFb0ofOE9U0yzFLArUI1RKNMpNFHX5DfRKqhKZBrr5RHxTbnJ0t623LXCONs 0WJBA5XEze/jk/oE9vr28iwCF6u7ia3ll1GboAT8GK6P22wrCfnec6ajyO6SjyyN 9nkSs+lOBq/3LWjN+jhSagkqynIlgi964eg9sLHdJvaZ+slnnhH+o1oBcvs4A5r7 I2kNn1PPfGOeiD4wY3MkMKxG0IacKZi2EEDF2HmOO1XaK9KGj4ZS2jc97pseeQZv qsEuvMI11bKA3slu0za4p1SeO9CYZGouSrG9DwrNFCLRBONqO67JE526x3h3pMGJ wJ8M+/EMAYBBDqB/00ms3Lzs749tzdxJ4Z3p96TIFbLEmPMb877lDpi7oebY4jkM R5lqUIOFY7tnBM3bzzF2typBvuCrH+bTcFO+jaxX6PZI3ILw/BGTUvyh+iLhZqwP efMoFVDJTkcGSo6WPWWG39JRfEKZUGNOPdAhVJ2vzaRvJUXq4/Kl5OUfbibh5kMn P0XyAUx5eIeyg4w5GzaN =hhdD -----END PGP SIGNATURE-----