-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 25 Sep 2017 12:12:03 -0700 Source: git Binary: git git-man git-core git-doc git-arch git-cvs git-svn git-mediawiki git-email git-daemon-run git-daemon-sysvinit git-gui gitk git-el gitweb git-all Architecture: source amd64 all Version: 1:2.1.4-2.1+deb8u5 Distribution: jessie-security Urgency: high Maintainer: Gerrit Pape <pape@smarden.org> Changed-By: Jonathan Nieder <jrnieder@gmail.com> Description: git - fast, scalable, distributed revision control system git-all - fast, scalable, distributed revision control system (all subpacka git-arch - fast, scalable, distributed revision control system (arch interop git-core - fast, scalable, distributed revision control system (obsolete) git-cvs - fast, scalable, distributed revision control system (cvs interope git-daemon-run - fast, scalable, distributed revision control system (git-daemon s git-daemon-sysvinit - fast, scalable, distributed revision control system (git-daemon s git-doc - fast, scalable, distributed revision control system (documentatio git-el - fast, scalable, distributed revision control system (emacs suppor git-email - fast, scalable, distributed revision control system (email add-on git-gui - fast, scalable, distributed revision control system (GUI) git-man - fast, scalable, distributed revision control system (manual pages git-mediawiki - fast, scalable, distributed revision control system (MediaWiki in git-svn - fast, scalable, distributed revision control system (svn interope gitk - fast, scalable, distributed revision control system (revision tre gitweb - fast, scalable, distributed revision control system (web interfac Changes: git (1:2.1.4-2.1+deb8u5) jessie-security; urgency=high . * Fix remote shell command execution via CVS protocol: - git-shell: drop cvsserver support by default - git-cvsserver: harden backtick captures against user input * Avoid shell command injection in other commands as well: - git-cvsimport: harden backtick captures against user input - git-archimport: harden backtick captures against user input . Thanks to joernchen of Phenoelit for discovering, reporting, and fixing this vulnerability, and to Junio C Hamano and Jeff King for the fixes to related issues. Checksums-Sha1: 04ef00ade1effd504d85d15bc022cc7761d9d49b 2803 git_2.1.4-2.1+deb8u5.dsc bc79bf8cb245ae60ca32e56b1eeb41f2fe4a2afb 481960 git_2.1.4-2.1+deb8u5.debian.tar.xz e005ca10f7ce18190bac93dddd9a06efd52090a0 3693608 git_2.1.4-2.1+deb8u5_amd64.deb a2335cdca2b817a49a2fc78624ebf79d60892507 1409370 git-doc_2.1.4-2.1+deb8u5_all.deb a23c5c9b290ebd45756a2446ead388713e562d0d 588854 git-arch_2.1.4-2.1+deb8u5_all.deb d01965fd90873a009919c3d3cedef58275ec7a71 638610 git-cvs_2.1.4-2.1+deb8u5_all.deb 11e498c512e25d64efa2d2bce3d5cdbb77222650 662532 git-svn_2.1.4-2.1+deb8u5_all.deb c96c42ca5d3e98d0d5a192ff9c48502c1cf7b7bc 591238 git-mediawiki_2.1.4-2.1+deb8u5_all.deb d15e23ee478cc64cd3dcdfcb4065fe8c765cfc83 577186 git-daemon-run_2.1.4-2.1+deb8u5_all.deb 2d8c67f12f1b683bf3e2ac05a0c77bd55fbe0cd2 578146 git-daemon-sysvinit_2.1.4-2.1+deb8u5_all.deb ab98fb9da87353353facee25445d20338b20254e 595186 git-email_2.1.4-2.1+deb8u5_all.deb 9861aa14e7eef52311e15a28b2742b14936b6aa5 766538 git-gui_2.1.4-2.1+deb8u5_all.deb 10c3219ffc4e4deab9bdc7454ee8b4be5dd954ba 695192 gitk_2.1.4-2.1+deb8u5_all.deb 01dec27014a79908f39693433f63c1ccac945e42 580074 gitweb_2.1.4-2.1+deb8u5_all.deb 67a81c1bad46aa9538ce9b094ba4f6068bd3f11c 575500 git-all_2.1.4-2.1+deb8u5_all.deb bf9b1bceb2f8651b9921301089a7906107fca717 595150 git-el_2.1.4-2.1+deb8u5_all.deb 9a9efe9469981f74c8ab177383fa599c4558264c 1268206 git-man_2.1.4-2.1+deb8u5_all.deb dc2804abedac52e6de085827ea027bbbd28a92aa 1504 git-core_2.1.4-2.1+deb8u5_all.deb Checksums-Sha256: 98a91bae8bf614cba4049cb47da1fa76d0639748d431d9241c6a269e5147216f 2803 git_2.1.4-2.1+deb8u5.dsc c3d39c895fdda768f9bc49ffe39e576b493ad92af81814136074fdc08349642b 481960 git_2.1.4-2.1+deb8u5.debian.tar.xz b792fc1efe2fe807717a56a8154b0203b6772c39df0ead7c4dd1215194c25324 3693608 git_2.1.4-2.1+deb8u5_amd64.deb 9f300df870de52459cb25e523e7ae64637051427d4e882760ce7818584b63e10 1409370 git-doc_2.1.4-2.1+deb8u5_all.deb 7432c33e6e7b81c8c330cbff589922f8d78821020bcfa80149eafde03e17be33 588854 git-arch_2.1.4-2.1+deb8u5_all.deb 2058c8a0bcf8420846311c9e84825e5c8e9d2225312d3934bf4ea0d27ca4831d 638610 git-cvs_2.1.4-2.1+deb8u5_all.deb 500282706c45f5861160ad05a72b85e2aafc7b45302b3dcb7a5dbdd5054d7d5a 662532 git-svn_2.1.4-2.1+deb8u5_all.deb 20f7d404aae63a4c48b60c45687981b5e6f6b1ca1f6c6ee9ae8b734a9445dcb4 591238 git-mediawiki_2.1.4-2.1+deb8u5_all.deb 9be5a86905a9c94c7f27dd419651e8f1d00ce3bd4beb5b72b0db95cfdfb4c61c 577186 git-daemon-run_2.1.4-2.1+deb8u5_all.deb 52e373a7674f5767618c06e52b239b5197c8f0cc1eb3b8f1506b54191e9da741 578146 git-daemon-sysvinit_2.1.4-2.1+deb8u5_all.deb e3fbf308c734812a24b1bf7878dea3eb519cdbe1346d1d0880f607328080fba7 595186 git-email_2.1.4-2.1+deb8u5_all.deb 705ef506a91cbfeda477eae4cb923b6a75a59e02c5a280602a2058c4ea5d984b 766538 git-gui_2.1.4-2.1+deb8u5_all.deb 6c708c04ebdec0387d992542899f9e3d56bfd92e7368d9b6f63dc8205cf9f5df 695192 gitk_2.1.4-2.1+deb8u5_all.deb 430697405c4a9972b45c03e974c2a87944034c202b1d16b135c83b132eac1f22 580074 gitweb_2.1.4-2.1+deb8u5_all.deb 1e10ac27d224b46652da88accc642574637ec619a03e01fa07dee33121800f3e 575500 git-all_2.1.4-2.1+deb8u5_all.deb a09e52af1cae235a6b7784f916b1d5be46e1bd026e800c5bbbd2ef18c9714da9 595150 git-el_2.1.4-2.1+deb8u5_all.deb e4896b1da467dfa0bab335a189b7d58a6437c37c5adf7f15e7cc864b3baa0bf6 1268206 git-man_2.1.4-2.1+deb8u5_all.deb 59ee04bd0398dc5cfaa46658d2f31680ef48022ee615c97cd33f42f6656d1995 1504 git-core_2.1.4-2.1+deb8u5_all.deb Files: c42e28a44a2b32a7bf0628d0399ccc96 2803 vcs optional git_2.1.4-2.1+deb8u5.dsc 68c1067f195ee396cb4d8388fd2196fe 481960 vcs optional git_2.1.4-2.1+deb8u5.debian.tar.xz a37fd2d3b71c3ab89cbe78c41d3b7376 3693608 vcs optional git_2.1.4-2.1+deb8u5_amd64.deb e2459183406d5c4405f1393673981565 1409370 doc optional git-doc_2.1.4-2.1+deb8u5_all.deb be4ad91c645bd7a08f44d630aff199cf 588854 vcs optional git-arch_2.1.4-2.1+deb8u5_all.deb 922eadeecba5056368e18384a4fc32da 638610 vcs optional git-cvs_2.1.4-2.1+deb8u5_all.deb 264c8998ee69ec9343d5adb2d7ec7c07 662532 vcs optional git-svn_2.1.4-2.1+deb8u5_all.deb ebbcd06f0b2048495ec08cc4f9f8fbc1 591238 vcs optional git-mediawiki_2.1.4-2.1+deb8u5_all.deb a141a2e011e7a64f08cc1fe162c7a6c2 577186 vcs optional git-daemon-run_2.1.4-2.1+deb8u5_all.deb 93ba408c18872af587032076cb1627e0 578146 vcs extra git-daemon-sysvinit_2.1.4-2.1+deb8u5_all.deb 45609c293dca370c26ada095c6914ee4 595186 vcs optional git-email_2.1.4-2.1+deb8u5_all.deb 53a8cbebdac96c407df4f856e470abe8 766538 vcs optional git-gui_2.1.4-2.1+deb8u5_all.deb b77dbbdf3f898cf510938218ef9ebe84 695192 vcs optional gitk_2.1.4-2.1+deb8u5_all.deb 2c5589592514367ac87ace7b59ceccfd 580074 vcs optional gitweb_2.1.4-2.1+deb8u5_all.deb d4d96d29941802ad9301739bf73a0c6e 575500 vcs optional git-all_2.1.4-2.1+deb8u5_all.deb 79a2f119b45f22d059760d16839d888c 595150 vcs optional git-el_2.1.4-2.1+deb8u5_all.deb e65045b8151d95f0c8f4ad729bc69e5a 1268206 doc optional git-man_2.1.4-2.1+deb8u5_all.deb 514244d4302c1720f202b948fef7ce99 1504 vcs optional git-core_2.1.4-2.1+deb8u5_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJZyVvFAAoJEN/Gce6zM/olQZwP/Anxysaeu9zg33QkiCcMXKYT kMY4P9itQ/2HydSDUA0hVp6dTufvx1PYF0OkTu3zRSCoe+vi6IbPmFEq0v1Wj/4F XIMZGMWyWIHnd+YhDjEq5fmRIrhQGq61W3JiDNGAOtyZAxLRYcCWbdYIsvMdioCm xBKLArbn/G5EaFooPcdq47Sk3Kv2DUArKrqnXdbRAqben2MdtL2xgzCNuQVQ6/ES x70zM7gIq05PijoqXFj2zZD5esso+RdknXB93YE0TceJfCMzMjryBcscj+s2I0es AxD+yUTUYjwC46LRxmrLM4nfud6NvTKNZsByYUzTJ6ZdLOACF87i6rDHo4vFDpUO 4GewEO7KTS6YP7X1dyUaIeWdNP3jymMSRHdbRkyoiCa7n3DNdxXCrp814HII70v/ Loiu9R/6po/xFU5Ek6J0VIsFp+gCwfB3JA4JyIy4Usu80GkgM3U2nLTXH7RbvsY8 HSK0ontnyu28Z67VG/pQeRYmG/9m7nF8Y5ouj5IoPmqSR6iEfAymjIWFGRLLK//8 15W0R/rl5HFauqCSOoywDkJGP7AqKqxpEonsc2R6g+lwA4yc2M4F88pxX7tO5S+a +COuCLIDYhjtJ1FnVqDredEKeBxQVjPZP7aDaQ4A/+2nw9oKc98F3xbjGoVLbaQ6 yVvUuP/DK7H7oclusaoR =0wI3 -----END PGP SIGNATURE-----