-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 09 Aug 2017 23:30:50 -0700 Source: git Binary: git git-man git-core git-doc git-arch git-cvs git-svn git-mediawiki git-email git-daemon-run git-daemon-sysvinit git-gui gitk git-el gitweb git-all Architecture: source amd64 all Version: 1:2.1.4-2.1+deb8u4 Distribution: jessie-security Urgency: high Maintainer: Gerrit Pape <pape@smarden.org> Changed-By: Jonathan Nieder <jrnieder@gmail.com> Description: git - fast, scalable, distributed revision control system git-all - fast, scalable, distributed revision control system (all subpacka git-arch - fast, scalable, distributed revision control system (arch interop git-core - fast, scalable, distributed revision control system (obsolete) git-cvs - fast, scalable, distributed revision control system (cvs interope git-daemon-run - fast, scalable, distributed revision control system (git-daemon s git-daemon-sysvinit - fast, scalable, distributed revision control system (git-daemon s git-doc - fast, scalable, distributed revision control system (documentatio git-el - fast, scalable, distributed revision control system (emacs suppor git-email - fast, scalable, distributed revision control system (email add-on git-gui - fast, scalable, distributed revision control system (GUI) git-man - fast, scalable, distributed revision control system (manual pages git-mediawiki - fast, scalable, distributed revision control system (MediaWiki in git-svn - fast, scalable, distributed revision control system (svn interope gitk - fast, scalable, distributed revision control system (revision tre gitweb - fast, scalable, distributed revision control system (web interfac Changes: git (1:2.1.4-2.1+deb8u4) jessie-security; urgency=high . * Fix CVE-2017-1000117, arbitrary code execution issues via URLs: - reject ssh hostname that begins with a dash - add test for hostname starting with dash to the testsuite - factor out "looks like command line option" check - reject dashed arguments to $GIT_PROXY_COMMAND - ssh:// and local URLs: reject path to repositories that look like command line options . Thanks to Joern Schneeweisz of Recurity Labs for discovering this vulnerability, Brian Neel at GitLab for reporting it to the Git project, and Junio Hamano and Jeff King for writing the patches to address it. Checksums-Sha1: 346379befa09cf5bcd8e296357aadef9b3f7fa54 2803 git_2.1.4-2.1+deb8u4.dsc c858fb3b6d34a25a8a08097a7824ebf21983889e 477096 git_2.1.4-2.1+deb8u4.debian.tar.xz 171aba2ed52eeacb91dfcac4897e98567f9e981f 3692788 git_2.1.4-2.1+deb8u4_amd64.deb b6de96375ec69ae90a487fe15df5a4ff8a79e97f 1408962 git-doc_2.1.4-2.1+deb8u4_all.deb 88f075f9bbfd1918bb861a30bb9956c30c6e443d 588666 git-arch_2.1.4-2.1+deb8u4_all.deb b6adcd4c904e1ed67b74452e4ce8ec8eec9e1b44 638558 git-cvs_2.1.4-2.1+deb8u4_all.deb 5d221f240b245689664ef41d4fe63ecb23ea5998 662344 git-svn_2.1.4-2.1+deb8u4_all.deb 4ebaa1356119c51375beaa891a33ca367d4f7872 591042 git-mediawiki_2.1.4-2.1+deb8u4_all.deb 29d76bdca07905103ce1c26933c6b8935975bd4e 576986 git-daemon-run_2.1.4-2.1+deb8u4_all.deb 42332b8be7caa831a163fef654f7eb28de2ce452 577942 git-daemon-sysvinit_2.1.4-2.1+deb8u4_all.deb e17ee5f15a959af84a5813ac54d7abf735733655 594974 git-email_2.1.4-2.1+deb8u4_all.deb 4f0985a9617dc017c83bce5c9be914203ceb08f6 766530 git-gui_2.1.4-2.1+deb8u4_all.deb 6edf2c65671bfcbc07b86c144905408fe95cdbbf 695016 gitk_2.1.4-2.1+deb8u4_all.deb ef002de8f534b9e092db71c075ba1529ba3a4782 579862 gitweb_2.1.4-2.1+deb8u4_all.deb fae5ecebf747aba2fca198c0ca5ca2b545abd2c0 575304 git-all_2.1.4-2.1+deb8u4_all.deb a602ee8dca12d1fab60a1cf2b101871ea43fbd2d 594944 git-el_2.1.4-2.1+deb8u4_all.deb bc1ceb4b17152898e020aa743989f14dc5cdb809 1267352 git-man_2.1.4-2.1+deb8u4_all.deb 589753f71d6b7006c3e91ed5f0add568da17b555 1498 git-core_2.1.4-2.1+deb8u4_all.deb Checksums-Sha256: a1fd74ba02143befafcf19106a593154faa0be6cc55626feea0462c8383b528d 2803 git_2.1.4-2.1+deb8u4.dsc 5b4605339b7eab5d565ca269a8e519b2e3e2fa4a7e62327212080ef2aa3bb4e8 477096 git_2.1.4-2.1+deb8u4.debian.tar.xz 49c2903e3b8c11690502827e01ce0f4af6213526fffcd6bd82cf09d53b147454 3692788 git_2.1.4-2.1+deb8u4_amd64.deb a51f103716f73a82e62185dc458f27fce97480c03626a488965a3981acd210c2 1408962 git-doc_2.1.4-2.1+deb8u4_all.deb be2b8115d2fac2b6cf79bc7a91ab73ecbe4407e21b30011518498543c2b81bb5 588666 git-arch_2.1.4-2.1+deb8u4_all.deb 0917e4b54f09ca2c2807432f730947a42647aa22aa312e149295238f9b7561a8 638558 git-cvs_2.1.4-2.1+deb8u4_all.deb f879b3a14a3d1eb499707c293b9ba569400510cd4af11d6b10ad098cc8eaa675 662344 git-svn_2.1.4-2.1+deb8u4_all.deb 5c0cbabcfdf59509cbc06e511778672e247355e263b542c401f7014fcb0bf85c 591042 git-mediawiki_2.1.4-2.1+deb8u4_all.deb a694a2464001c34bae613167ed60fa473151b7b42d6fce943e6e5570e2565efa 576986 git-daemon-run_2.1.4-2.1+deb8u4_all.deb e6e2f831e226c4fe3863308ffd6c344f0d12c5e4e940065016c5c918612739b9 577942 git-daemon-sysvinit_2.1.4-2.1+deb8u4_all.deb 99e18248ab4cf4f32c7808539ad3db6745e6928e6c973745ac2c9fab8cd863b5 594974 git-email_2.1.4-2.1+deb8u4_all.deb d729c65ec8249ee9295b5c65381a32bb4b4493d777607e15cc055af4b5ccc6f9 766530 git-gui_2.1.4-2.1+deb8u4_all.deb 2894d24af5c27fa388c6e3dacedf45937e3f8b8eaac72a59851cbd920f9ab8e3 695016 gitk_2.1.4-2.1+deb8u4_all.deb 45026f213f3727bace3b091566b5abdb55cbd6b818b60301f43aeacfde320020 579862 gitweb_2.1.4-2.1+deb8u4_all.deb 0441c2ffbe46933c61d098473be5c59485e5e8c1d676bf5fcd16f51c3097c61c 575304 git-all_2.1.4-2.1+deb8u4_all.deb 1e9d5223b8df42f14d9448eae4f87bcb394eead9c3cdf042ea8991030d42f79f 594944 git-el_2.1.4-2.1+deb8u4_all.deb 5e0d63c3b8a0b77fa632bbf902524063546005ba3e064864c2ff7e273bfc01ff 1267352 git-man_2.1.4-2.1+deb8u4_all.deb c42f6732bf2af56db161bc2788513a4ed5268852e6d44f5437727c17bcf1dc26 1498 git-core_2.1.4-2.1+deb8u4_all.deb Files: 03928609a160d0f90e9255cd794d8a0f 2803 vcs optional git_2.1.4-2.1+deb8u4.dsc 5e673d130869bcf6372ff15be506cd18 477096 vcs optional git_2.1.4-2.1+deb8u4.debian.tar.xz 96b974a56af28d1f9c09fcf4e16aad02 3692788 vcs optional git_2.1.4-2.1+deb8u4_amd64.deb 411b79ad3dd20450709d009c5b2168e2 1408962 doc optional git-doc_2.1.4-2.1+deb8u4_all.deb 2d7e4a1471380e2902a90859262176e4 588666 vcs optional git-arch_2.1.4-2.1+deb8u4_all.deb 4f1335edf4352e50e8bdf63e62a1b1a2 638558 vcs optional git-cvs_2.1.4-2.1+deb8u4_all.deb 20054c5d8de11d1a7ac6ec71e3aab8cc 662344 vcs optional git-svn_2.1.4-2.1+deb8u4_all.deb 918623bfa899b6557046abb39a120ae1 591042 vcs optional git-mediawiki_2.1.4-2.1+deb8u4_all.deb eadfbb552b04c8cfcd1fd741b801e692 576986 vcs optional git-daemon-run_2.1.4-2.1+deb8u4_all.deb ab37f10d5844f7b1a76abeec0c3e865f 577942 vcs extra git-daemon-sysvinit_2.1.4-2.1+deb8u4_all.deb a981363f5eb2a187dfc020d0b65e2c5e 594974 vcs optional git-email_2.1.4-2.1+deb8u4_all.deb 7b8f582071cdb83d568ab87f8e266530 766530 vcs optional git-gui_2.1.4-2.1+deb8u4_all.deb 740cc0a19ead989e1bc23f6104c9cc42 695016 vcs optional gitk_2.1.4-2.1+deb8u4_all.deb fcc7f050ea7be35d292f1199c7afa3fb 579862 vcs optional gitweb_2.1.4-2.1+deb8u4_all.deb 14418d5c578b0e668d5e09860bd3c87e 575304 vcs optional git-all_2.1.4-2.1+deb8u4_all.deb 244b272faeb0da43364bd4e6d7f224c1 594944 vcs optional git-el_2.1.4-2.1+deb8u4_all.deb 668d31edf55474638ad3fb7bf914d7b1 1267352 doc optional git-man_2.1.4-2.1+deb8u4_all.deb 8eb2745bf81e67b4df9b7d1cca20d137 1498 vcs optional git-core_2.1.4-2.1+deb8u4_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJZjHyOAAoJEN/Gce6zM/olDEIQAKuG/367B+E8UE23xIYyDl7X 3PiovkOFsn4np113yXqvH52khmdeBPYMmYrDvQBNmJRxyUH7UUD0apO4TaoirC58 fO8/x6DHPmDTpnG5yGuD3I1AzZgMdYdIWNzfKo/TcqJCavYIX1xzqEl3D13gi67E PjkXQlfuh3PDB9a97dQ0ZVvEk5/jgeY/xDDxy6vF0z6V2PC6PbjqyTOMuuk/TBTp SLuoMn/9bTRRfE8CYAIFocggZ7yOoLyA3B+LTRU2oSWqZ+SoQcuROGkdMhpIYqem sbtX2pC9TTADYyEPHa+/Q+YS+iKO0dVl/FwmuLVMg2FYRdtxBhOR0RrZVHRbCitV HHryEYwCIR/fPtHQAFKyZeu1iyUD3oRd6+gB+9/A1vYN6sfliQZNEkRH3QbiDrig lKF4tugxZ8jf9gupPLtSq2KUaC+Gv5C3enTDDiRc7I2QgQdD+0PRh7NbC+9LcSnT 5LmNwhUDb2gYemX+YpV8ukZiKsFIgMm43UwlwEzad90IXkWxuYJ+Qq0bYj1X8JFT EFXGTMvcwuXQNjzQwu6IHfiBIQ2eCqHV1H1TTAgnxUWK1ywZiGpW2ZZcrc3+qiDH kxnUTmiczM7vZX2reajPnbTyQk/5k/n1d8kksHySr1SYdPOUJxtPFpqUwn43G4j3 LkoOt1tzY9yujoPHIeC8 =VUqP -----END PGP SIGNATURE-----
