-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 05 Oct 2018 00:41:17 -0700 Source: git Binary: git git-man git-core git-doc git-arch git-cvs git-svn git-mediawiki git-email git-daemon-run git-daemon-sysvinit git-gui gitk git-el gitweb git-all Architecture: source amd64 all Version: 1:2.1.4-2.1+deb8u7 Distribution: jessie-security Urgency: high Maintainer: Gerrit Pape <pape@smarden.org> Changed-By: Jonathan Nieder <jrnieder@gmail.com> Description: git - fast, scalable, distributed revision control system git-all - fast, scalable, distributed revision control system (all subpacka git-arch - fast, scalable, distributed revision control system (arch interop git-core - fast, scalable, distributed revision control system (obsolete) git-cvs - fast, scalable, distributed revision control system (cvs interope git-daemon-run - fast, scalable, distributed revision control system (git-daemon s git-daemon-sysvinit - fast, scalable, distributed revision control system (git-daemon s git-doc - fast, scalable, distributed revision control system (documentatio git-el - fast, scalable, distributed revision control system (emacs suppor git-email - fast, scalable, distributed revision control system (email add-on git-gui - fast, scalable, distributed revision control system (GUI) git-man - fast, scalable, distributed revision control system (manual pages git-mediawiki - fast, scalable, distributed revision control system (MediaWiki in git-svn - fast, scalable, distributed revision control system (svn interope gitk - fast, scalable, distributed revision control system (revision tre gitweb - fast, scalable, distributed revision control system (web interfac Changes: git (1:2.1.4-2.1+deb8u7) jessie-security; urgency=high . * Fix CVE-2018-17456, arbitrary code execution via submodule URLs and paths in .gitmodules file: - submodule: ban submodule urls that start with a dash - submodule: ban submodule paths that start with a dash - submodule: use "--" to signal end of clone options - fsck: detect submodule urls that start with a dash - fsck: detect submodule paths that start with a dash . Thanks to joernchen of Phenoelit for discovering and reporting this vulnerability and to Jeff King for fixing it. . * Correct incomplete shell command injection fix in git cvsimport in 1:2.1.4-2.1+deb8u5. A malicious CVS server could trigger arbitrary code execution by a user running "git cvsimport". - cvsimport: apply shell-quoting regex globally . Thanks to littlelailo for discovering this vulnerability and to Jeff King for fixing it. . * fsck: error out when .gitmodules is a symbolic link, completing the backport of the patch "fsck: complain when .gitmodules is a symlink" in 1:2.1.4-2.1+deb8u6. Thanks to Pavel Cahyna for the report and patch. Checksums-Sha1: 37ef5e2e481de345f9172c9e24a04642917cefb9 2846 git_2.1.4-2.1+deb8u7.dsc 33dd55cebc4f6230e6df72b4a0058d7343ce6eb0 517256 git_2.1.4-2.1+deb8u7.debian.tar.xz 14ea8d64b984ca8d27d82f9e4228a3c634e2cbb6 3709046 git_2.1.4-2.1+deb8u7_amd64.deb 0c00650cbd8a936bd6bf89827cf65cd25f8f8aa8 1410472 git-doc_2.1.4-2.1+deb8u7_all.deb 5551e925733f99bd240172955d2d827616279492 589712 git-arch_2.1.4-2.1+deb8u7_all.deb ffeff74bad5e7767ca6d0159aa226a953c82c12c 639642 git-cvs_2.1.4-2.1+deb8u7_all.deb 97acd1d94f21318b916188ea170bdb163b876cb6 663390 git-svn_2.1.4-2.1+deb8u7_all.deb fac9bcdd81d75e83a4ee453f0c2e090cf3c729ba 592066 git-mediawiki_2.1.4-2.1+deb8u7_all.deb ee1e7dc5949c0b5d05b3faf8e999ee1ab61a2f90 578026 git-daemon-run_2.1.4-2.1+deb8u7_all.deb 26fec92df2fdc55a6544dd1f9adcd6dc0ffc552a 578966 git-daemon-sysvinit_2.1.4-2.1+deb8u7_all.deb 12340c8c40969713359a5bdede163091267a1895 596000 git-email_2.1.4-2.1+deb8u7_all.deb 839e5c67ad2e1e273c6e1a5b4dd097c240d53aac 767588 git-gui_2.1.4-2.1+deb8u7_all.deb 14dfe8bac9b4ffac885c42080c8fbae77c191b96 696048 gitk_2.1.4-2.1+deb8u7_all.deb d71ea2234fa4ba532aff616bb9c47c86b080ba16 580882 gitweb_2.1.4-2.1+deb8u7_all.deb f142a828eb539ffec188f9208292efddb9a2befd 576332 git-all_2.1.4-2.1+deb8u7_all.deb d3480651da746aa95a9f5d9890b20c254d51df38 595960 git-el_2.1.4-2.1+deb8u7_all.deb 90ccafdc008aed825a6dd049ba90587154a76cf8 1268864 git-man_2.1.4-2.1+deb8u7_all.deb 57cfae47abd4951335ec273032d6707945779439 1504 git-core_2.1.4-2.1+deb8u7_all.deb Checksums-Sha256: 016a2def5434cd2b84af9f42c73a0388c17636b998bc04bb230b047c7547a646 2846 git_2.1.4-2.1+deb8u7.dsc f378772b946f89e66b44c9d5b1b1f68a64561f07a1e0e7dbb94a94bbbde44442 517256 git_2.1.4-2.1+deb8u7.debian.tar.xz 383f33b84326b79571a04ce466bfc413f56bb21ed40eba1a106ad1a4c3d585b6 3709046 git_2.1.4-2.1+deb8u7_amd64.deb 6781116924fcaf8c674e362d2366b6300df45e2d3b255d0e2283cebd5a4bc999 1410472 git-doc_2.1.4-2.1+deb8u7_all.deb da6a3b8689bbd533a494433aeba3b0e8315a1d8d845d9fc853aa18c145b9cff2 589712 git-arch_2.1.4-2.1+deb8u7_all.deb 1bac40d298c5e3d954208c98f3c47fe7941335dc6ef838cd2d22f82c53e65055 639642 git-cvs_2.1.4-2.1+deb8u7_all.deb 00da8626b5112d4178ca9acefbe29ae197fe7ab9c53e1cdec3efa16d735cc9d4 663390 git-svn_2.1.4-2.1+deb8u7_all.deb 6b4233ba498cbdb6561671a09d8055b465123e287abb904e690a190548f43a9e 592066 git-mediawiki_2.1.4-2.1+deb8u7_all.deb bae21fa689e49022447041f0f66988d5ca8363b70c43aa06aa92d5095af2f077 578026 git-daemon-run_2.1.4-2.1+deb8u7_all.deb 74f60fe9491f52963b251c88317c26a81176395d7b8ee09a4b1e3173a73a09c7 578966 git-daemon-sysvinit_2.1.4-2.1+deb8u7_all.deb 1c4298c1a3b58c728b32f6809a691937bbe68b311584f792de061a2f13f21f92 596000 git-email_2.1.4-2.1+deb8u7_all.deb ae8875deadb3e8e9b1ed72772a54152f52c62484517123e763f7a326191c150c 767588 git-gui_2.1.4-2.1+deb8u7_all.deb 07be819f412fa246d5c63bf29e4d04eb3bf746331599e082ceedcb83a4f04074 696048 gitk_2.1.4-2.1+deb8u7_all.deb 2e12ad5c6b16f67b9f87481c314b6380f8938750251e9c04e3290b93c8f4fc96 580882 gitweb_2.1.4-2.1+deb8u7_all.deb f8c2f1071494a4407ab5a59f79cedc52282062f042c529dd75d80c069b48d39e 576332 git-all_2.1.4-2.1+deb8u7_all.deb 1d81dfabe6582a80348b0c0e36c468b0b3b9944ebc7509976360f67fb097263a 595960 git-el_2.1.4-2.1+deb8u7_all.deb 604a83dbe3fad8aad5706e7f0382ff7d56398e63734633f153fb2a86ebf6a4aa 1268864 git-man_2.1.4-2.1+deb8u7_all.deb 42397f5f7dbd17050218d47e2b1cf2d928324e75d4487c472c311eebd3203d52 1504 git-core_2.1.4-2.1+deb8u7_all.deb Files: ff10bbf6e17b7c456e2a5d8aa4787960 2846 vcs optional git_2.1.4-2.1+deb8u7.dsc 1249ec4892b3904a01254538e82e167e 517256 vcs optional git_2.1.4-2.1+deb8u7.debian.tar.xz 8503cde7a6efa686464e5285dd3a9633 3709046 vcs optional git_2.1.4-2.1+deb8u7_amd64.deb 9d33bf75b778e4beafd5ed5cde461a93 1410472 doc optional git-doc_2.1.4-2.1+deb8u7_all.deb d068e9eb15e936b9b335a588ace66b83 589712 vcs optional git-arch_2.1.4-2.1+deb8u7_all.deb c49dcebfdb8f43bce9a45848aad82c09 639642 vcs optional git-cvs_2.1.4-2.1+deb8u7_all.deb 225a9cca1e681c372506d3efa27e032d 663390 vcs optional git-svn_2.1.4-2.1+deb8u7_all.deb 2274d98db4edf7ad37fb965c3345b1d5 592066 vcs optional git-mediawiki_2.1.4-2.1+deb8u7_all.deb 38cecde5beae9d4c6af9fdeb0ea6852d 578026 vcs optional git-daemon-run_2.1.4-2.1+deb8u7_all.deb be1e94bb6a68cd3ad772f79c4cb53c69 578966 vcs extra git-daemon-sysvinit_2.1.4-2.1+deb8u7_all.deb 148f13668bf8dd6588be964debd19ac5 596000 vcs optional git-email_2.1.4-2.1+deb8u7_all.deb f1a93d81d9adcc7e39d59fd7a6bb9096 767588 vcs optional git-gui_2.1.4-2.1+deb8u7_all.deb 797489212742ede229fc3a567acc79f4 696048 vcs optional gitk_2.1.4-2.1+deb8u7_all.deb 5352307a91ee3a88ab4ca8b65f44b5c7 580882 vcs optional gitweb_2.1.4-2.1+deb8u7_all.deb 32160a49b3a1556fb5663b95357b6aca 576332 vcs optional git-all_2.1.4-2.1+deb8u7_all.deb d71e7dcc13af6c11d6063de9903644bb 595960 vcs optional git-el_2.1.4-2.1+deb8u7_all.deb 8860ba52192592b375fa5878f0966039 1268864 doc optional git-man_2.1.4-2.1+deb8u7_all.deb 904200d58196d35f1cfc0203d0c50641 1504 vcs optional git-core_2.1.4-2.1+deb8u7_all.deb -----BEGIN PGP SIGNATURE----- iQJHBAEBCAAxFiEEUh5Y8X6W1xKqD/EC38Zx7rMz+iUFAlu3ICkTHGpybmllZGVy QGdtYWlsLmNvbQAKCRDfxnHuszP6JfazEACnnznqM+k8B5e38LuTBh+bVgsCA7s7 LbBNFtalOvi3yQRwVp7KtIiPoX32fser4rxvzU2nZPTnlVy1YzJ83xBIhrvxl2uy YWvwqn38T57LoeTMfHgeVJF6Mb59D3JfF8rgbjcmf/5kGftb7r1hr+L55TFq2S4R JpNBZmVOydSpEJaJwQWvMmc7YMZ1rHdKFdIZ90r2qN83CIj+CaTGh4qZBC7UarUH gwNOxAZUmXOiESQIXAGVaKNWoNR0lrYp8w06H6fIYwVGaQFCwc2i07wL59pjVnCq i4elE37qFnIzlXBvT6FxOoE/55KKbbO8/whDO0SSSxX31g7R7J1ZioMktO2r3mbO D0oFvsIFVbD4rQjHvlJ6bLTU3BDaOKcH1LK+bk0uoV4wIzt7HR95UWD6Y3aAGunj 36pm9/EoJgbrTXQ2NTtdIz++Bh/d06K5/BTYRULVLW3u8EqLwY1Cijl8ZlqicuN/ X+KR185NBS49FIzog5VGctYJbpb916ezl2YQ2hU5/nv+M4+7R0L9MAXMPSEaASo/ YwMvdxeRefQ+zMk+Jf6vpCRV/q2WlZeUYXYimKIT0nU0sEo2YM4FeNS6Rg59Q4VP MOXLiBKvb+DyQnO1RJM1dW6+QEavbX8/LlS26hYVup9raUen8biQiC6PlH6PMi48 3Wbi10BoMCD5Aw== =1G02 -----END PGP SIGNATURE-----