-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 25 Sep 2017 12:09:08 -0700
Source: git
Binary: git git-man git-core git-doc git-arch git-cvs git-svn git-mediawiki git-email git-daemon-run git-daemon-sysvinit git-gui gitk git-el gitweb git-all
Architecture: source all amd64
Version: 1:2.11.0-3+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Gerrit Pape <pape@smarden.org>
Changed-By: Jonathan Nieder <jrnieder@gmail.com>
Description:
git - fast, scalable, distributed revision control system
git-all - fast, scalable, distributed revision control system (all subpacka
git-arch - fast, scalable, distributed revision control system (arch interop
git-core - fast, scalable, distributed revision control system (obsolete)
git-cvs - fast, scalable, distributed revision control system (cvs interope
git-daemon-run - fast, scalable, distributed revision control system (git-daemon s
git-daemon-sysvinit - fast, scalable, distributed revision control system (git-daemon s
git-doc - fast, scalable, distributed revision control system (documentatio
git-el - fast, scalable, distributed revision control system (emacs suppor
git-email - fast, scalable, distributed revision control system (email add-on
git-gui - fast, scalable, distributed revision control system (GUI)
git-man - fast, scalable, distributed revision control system (manual pages
git-mediawiki - fast, scalable, distributed revision control system (MediaWiki re
git-svn - fast, scalable, distributed revision control system (svn interope
gitk - fast, scalable, distributed revision control system (revision tre
gitweb - fast, scalable, distributed revision control system (web interfac
Changes:
git (1:2.11.0-3+deb9u2) stretch-security; urgency=high
.
* Fix remote shell command execution via CVS protocol:
- git-shell: drop cvsserver support by default
- git-cvsserver: harden backtick captures against user input
* Avoid shell command injection in other commands as well:
- git-cvsimport: harden backtick captures against user input
- git-archimport: harden backtick captures against user input
.
Thanks to joernchen of Phenoelit for discovering, reporting, and
fixing this vulnerability, and to Junio C Hamano and Jeff King for
the fixes to related issues.
Checksums-Sha1:
38e58d612712a30ef2dfc0b39fc52adbddc951a0 2901 git_2.11.0-3+deb9u2.dsc
3fa294abd6156ed6721408c0b4c2b233535eb8b0 528052 git_2.11.0-3+deb9u2.debian.tar.xz
5252383186607cb81bc6b7b3d25bbe91e5cfc745 671534 git-all_2.11.0-3+deb9u2_all.deb
e4960dc1f02e261421e444652e3c6988e3de3fb1 684172 git-arch_2.11.0-3+deb9u2_all.deb
2f04ce3f8da2a6ed6185a1a10ff0dfc4fc05f5b2 1410 git-core_2.11.0-3+deb9u2_all.deb
8b91692342f1967a89bc9bd71d5e77411bc9a260 734740 git-cvs_2.11.0-3+deb9u2_all.deb
6662474f34e3c0f9af8a763bf57c24d7fe2c53fb 673066 git-daemon-run_2.11.0-3+deb9u2_all.deb
4d85d4d7692db80b81871c60ff0b9c00947bed80 674256 git-daemon-sysvinit_2.11.0-3+deb9u2_all.deb
2fadf91e84ef6303c285c7b1ba4730fd29e9ab30 30185628 git-dbgsym_2.11.0-3+deb9u2_amd64.deb
9abd152a238a128704136b8c5a2cae7332c30f2b 1534326 git-doc_2.11.0-3+deb9u2_all.deb
895e12f9552539dfad02372c648d8f5bee2e8188 691054 git-el_2.11.0-3+deb9u2_all.deb
e2ea4d71dfbefa47fa78cf499f199777f3fee21a 693324 git-email_2.11.0-3+deb9u2_all.deb
7bf7c247ac78c46f448a15fa871c60d120628699 880314 git-gui_2.11.0-3+deb9u2_all.deb
1f6bb1cec39b1abf147bd9f1d9bea6ec07cd977f 1432030 git-man_2.11.0-3+deb9u2_all.deb
e50acd3f4270f08f512833735188cad85fba036d 686426 git-mediawiki_2.11.0-3+deb9u2_all.deb
882b0f05676027141cdb0cb29080825f6cb62796 756280 git-svn_2.11.0-3+deb9u2_all.deb
54e3376ffd43eccb23e7e2f1dc55d9585bc8db98 11346 git_2.11.0-3+deb9u2_amd64.buildinfo
c3a3c4099267a8fbc30e4b84548828483e47e167 4160020 git_2.11.0-3+deb9u2_amd64.deb
a7baa5bbfea9880f1ce047b02b6bfb5cf6dab84b 797568 gitk_2.11.0-3+deb9u2_all.deb
96c7d4c6f09b34bbf1ef66cc92ffa16cf043a91b 675806 gitweb_2.11.0-3+deb9u2_all.deb
Checksums-Sha256:
e6364c47a4237efe0008e9bcf55b0b053954baf3f165151bab97a8786c8a778f 2901 git_2.11.0-3+deb9u2.dsc
e9e29329319f6ebb9529147580400012348c6ad27ae9d5df37661c504b0df3ce 528052 git_2.11.0-3+deb9u2.debian.tar.xz
f464aabc58a1091184590c30206cfe9de8efc91164c565953251707c8ad2a35c 671534 git-all_2.11.0-3+deb9u2_all.deb
2bbbdc0276819887022d75b536021703a4cd6fa224519b6c988ec990cc7afca8 684172 git-arch_2.11.0-3+deb9u2_all.deb
c79f9c50971460ab7b2ad6d6440c1fb168e11b6c0f70a82ed6b77a87a2a8890d 1410 git-core_2.11.0-3+deb9u2_all.deb
62427eba62898a55f201ca9be2cf63ee1d5083bb3d4663bec6264c93727d53a7 734740 git-cvs_2.11.0-3+deb9u2_all.deb
2c0cecf9402e00cd1bfe813b285a5c2666b660be281f68eaadc8e38f25c095eb 673066 git-daemon-run_2.11.0-3+deb9u2_all.deb
ae951327d82c22b25f2c982d3f22c686e6a9fbaffd42a6bcd115514ac20a674f 674256 git-daemon-sysvinit_2.11.0-3+deb9u2_all.deb
0aa8f2a8c499c02b13b89f63a6e6f32758e41da876386bdfca793a98f91508d9 30185628 git-dbgsym_2.11.0-3+deb9u2_amd64.deb
928ab36727c1e8471f5d4bd15a05b98512b0de84ae6aeaf56c83bd7f5445d010 1534326 git-doc_2.11.0-3+deb9u2_all.deb
e030a388ceb35f05f1ac06e487fbb55e95527c085a06112542e3f1d9d5e5b239 691054 git-el_2.11.0-3+deb9u2_all.deb
a67e683d600ef85e21e169ef2daca8c51da8fa58d515590cd71f8f2434ebdc91 693324 git-email_2.11.0-3+deb9u2_all.deb
2c4f971589457f868dd3a0afc63ca3129faf4b0bd34bbe9299379f940aff7f48 880314 git-gui_2.11.0-3+deb9u2_all.deb
3833b45914a2276e682302edf503008487659580c966d0b81182ea397fd4acd9 1432030 git-man_2.11.0-3+deb9u2_all.deb
7eaf1bdedabe3d4bff6a95477db131bebb835d3e46c530ff2ea1903e076cce5d 686426 git-mediawiki_2.11.0-3+deb9u2_all.deb
dcb593672f4453b8dc31a7b231b42a74f45e4fa2394b2ab428166e3a9145fede 756280 git-svn_2.11.0-3+deb9u2_all.deb
dc2be2486b0d7f49b9b152161d0581e09c3eb5a789a16684f929969062dd8e96 11346 git_2.11.0-3+deb9u2_amd64.buildinfo
da2c7e3ded21bc284d63d560045c37dff74248aed3474f0387d02961b3258ee6 4160020 git_2.11.0-3+deb9u2_amd64.deb
2d51360b6e8d0aa63e5411f56284fe2befe829886eaf86e046a6d316bf76cdef 797568 gitk_2.11.0-3+deb9u2_all.deb
f30bb797b89eca47fbfa12264b11e0c19ed0bdc1186f280c0a07e814e654b1c5 675806 gitweb_2.11.0-3+deb9u2_all.deb
Files:
692a11ec3b70c8f44b90355a6fa13182 2901 vcs optional git_2.11.0-3+deb9u2.dsc
6dcb6fd7ac89c7e3470ed3ca52d9de70 528052 vcs optional git_2.11.0-3+deb9u2.debian.tar.xz
9f055a3dc8f40900f064b8b247696714 671534 vcs optional git-all_2.11.0-3+deb9u2_all.deb
0fd3262f873cda80598f0e7eb4b0954a 684172 vcs optional git-arch_2.11.0-3+deb9u2_all.deb
435d753755e6334a14a126698c6ee2d8 1410 vcs optional git-core_2.11.0-3+deb9u2_all.deb
fcf1587e4c582ad2c7e197555b278d39 734740 vcs optional git-cvs_2.11.0-3+deb9u2_all.deb
dec3b70529cdfeff53a9827325172b47 673066 vcs optional git-daemon-run_2.11.0-3+deb9u2_all.deb
9c66e9a38ae6c6c22bdb99fd83b6efc8 674256 vcs extra git-daemon-sysvinit_2.11.0-3+deb9u2_all.deb
c238a55229bcffb81047a2a09dbe4671 30185628 debug extra git-dbgsym_2.11.0-3+deb9u2_amd64.deb
e68ccdaf9ab6d75356c798c9a4c5a31d 1534326 doc optional git-doc_2.11.0-3+deb9u2_all.deb
4c2e8ec717d81f37768b4aeb88de2883 691054 vcs optional git-el_2.11.0-3+deb9u2_all.deb
2ad0b9541a33f853db71fa0da895d9e9 693324 vcs optional git-email_2.11.0-3+deb9u2_all.deb
1b74c955d1e53a332cf097cab7d38e0c 880314 vcs optional git-gui_2.11.0-3+deb9u2_all.deb
24df9e5c632466bced207f10f4c7f5f3 1432030 doc optional git-man_2.11.0-3+deb9u2_all.deb
38fe68f6fed3fbe49e5c210f821444d7 686426 vcs optional git-mediawiki_2.11.0-3+deb9u2_all.deb
b78a7ba05d9f2c0deb32ffd3bfc548a4 756280 vcs optional git-svn_2.11.0-3+deb9u2_all.deb
410d7aad8d3372a57c92f4ade3f45e07 11346 vcs optional git_2.11.0-3+deb9u2_amd64.buildinfo
46c06fed86fdc9e2b2bdece4ad74f770 4160020 vcs optional git_2.11.0-3+deb9u2_amd64.deb
fcbe4182545f980df175451c67367bdc 797568 vcs optional gitk_2.11.0-3+deb9u2_all.deb
30563666bc98ac4b715267d096c1ed2f 675806 vcs optional gitweb_2.11.0-3+deb9u2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJZyVftAAoJEN/Gce6zM/olP2YP/Am5qJdSq8GSE90L2LvyKeGl
M2BENYkKutCB9c3uw+fdjiqUOFwzpZJbwU/vuzfqDCLhyM22nDtc5I4EQPGmSm4h
foxPFluKvO8XmRza675Sd6Fem1n8rYv6VA/p4dik81OWn04VvpdS0ABGi+NODjgw
bQuNaddkYQ/nq/h9ArWhKnqaIyj+miZ8q4TJJPChzjWmqjZQcaktwrHD+Vlef2W/
X+AspM0gy2jt95YyHBVRDnTXYatzh7PTPGwqWgLM1kiXvgAHA5tHXaDLVHLFZsyv
YDlDi9KbsFuWxkqG7ZgW+NxJZqah6P14hqtyg5mcop6rUGgeCardpMTIzIS5g1HX
p9v2QYtvOoLBcnC3UBMe2V/TXXftbXK23N2l3dLdSiF2nqqjxKnEYUAp8CeA5hkf
hVVK+J5L89DxosekD2d7ue1q5NTZuFSub75F4v4LDr1wagcG25qfmM6VKGwra8SJ
rcshjLVeV9mG6v3gfmhsLMQAMl0oO7ymzD+faZDCWcVS/OhVWw0rZ6Tnj/vIOLm7
xUVkaMzzPt00toRQ46pfAyjj9AoUowBEiRcQAuJUOceX/+bpdcOIP+LSpkxoI71d
dQ6scXT+X61oaag5/TSEhcyiy4JQoEc/UFij671n4twscZ0f5pL3rdspDZa1ytjc
b2MTBrY+3f+xBZwXJlcB
=smCN
-----END PGP SIGNATURE-----
