-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 27 Sep 2018 19:35:44 -0700 Source: git Binary: git git-man git-core git-doc git-arch git-cvs git-svn git-mediawiki git-email git-daemon-run git-daemon-sysvinit git-gui gitk git-el gitweb git-all Architecture: source all amd64 Version: 1:2.11.0-3+deb9u4 Distribution: stretch-security Urgency: high Maintainer: Gerrit Pape <pape@smarden.org> Changed-By: Jonathan Nieder <jrnieder@gmail.com> Description: git - fast, scalable, distributed revision control system git-all - fast, scalable, distributed revision control system (all subpacka git-arch - fast, scalable, distributed revision control system (arch interop git-core - fast, scalable, distributed revision control system (obsolete) git-cvs - fast, scalable, distributed revision control system (cvs interope git-daemon-run - fast, scalable, distributed revision control system (git-daemon s git-daemon-sysvinit - fast, scalable, distributed revision control system (git-daemon s git-doc - fast, scalable, distributed revision control system (documentatio git-el - fast, scalable, distributed revision control system (emacs suppor git-email - fast, scalable, distributed revision control system (email add-on git-gui - fast, scalable, distributed revision control system (GUI) git-man - fast, scalable, distributed revision control system (manual pages git-mediawiki - fast, scalable, distributed revision control system (MediaWiki re git-svn - fast, scalable, distributed revision control system (svn interope gitk - fast, scalable, distributed revision control system (revision tre gitweb - fast, scalable, distributed revision control system (web interfac Changes: git (1:2.11.0-3+deb9u4) stretch-security; urgency=high . * Fix CVE-2018-17456, arbitrary code execution via submodule URLs and paths in .gitmodules file: - submodule: ban submodule urls that start with a dash - submodule: ban submodule paths that start with a dash - submodule: use "--" to signal end of clone options - fsck: detect submodule urls that start with a dash - fsck: detect submodule paths that start with a dash . Thanks to joernchen of Phenoelit for discovering and reporting this vulnerability and to Jeff King for fixing it. . * Correct incomplete shell command injection fix in git cvsimport in 1:2.11.0-3+deb9u2. A malicious CVS server could trigger arbitrary code execution by a user running "git cvsimport". - cvsimport: apply shell-quoting regex globally . Thanks to littlelailo for discovering this vulnerability and to Jeff King for fixing it. Checksums-Sha1: 05d722e88606c799cf8a07aceab1cdff25d9d92f 2944 git_2.11.0-3+deb9u4.dsc 6113d6f51c7e6776ef262c676218341dd31b7da5 554016 git_2.11.0-3+deb9u4.debian.tar.xz 490d1c180f4745c2f855955ce7d922e3130e5724 672176 git-all_2.11.0-3+deb9u4_all.deb 4448b6a49f836fd398781f93b4d6979eb3d67cdd 684808 git-arch_2.11.0-3+deb9u4_all.deb 42ba2ee26a3dba2eaa1519ab5078cec1932c9f8e 1414 git-core_2.11.0-3+deb9u4_all.deb 3ed52fae4d8b813d323929b267322b6d6ef6b239 735392 git-cvs_2.11.0-3+deb9u4_all.deb 1f66151d0ee1a16f0165573318dd405a30d0e219 673700 git-daemon-run_2.11.0-3+deb9u4_all.deb 5cccc712acb432fd302d87fa01838f1f11470adb 674908 git-daemon-sysvinit_2.11.0-3+deb9u4_all.deb 9c8fcf6d3c252ecbba1316a36dc2df1f0c3efbe3 30253392 git-dbgsym_2.11.0-3+deb9u4_amd64.deb 755ef6415b80d58d571955de84ddf0f8184457d3 1535066 git-doc_2.11.0-3+deb9u4_all.deb d090e55f9347cd94f7ff2984a69c654b0ee500f4 691764 git-el_2.11.0-3+deb9u4_all.deb 222031bd5e7f49fe6424d7c6f9370c93acf62026 693958 git-email_2.11.0-3+deb9u4_all.deb aec1028529ab1d60cd34aa898a38af30a6459abc 881030 git-gui_2.11.0-3+deb9u4_all.deb aa9ec223b1a909b82dcbbc1b14bcf420e584d18e 1432878 git-man_2.11.0-3+deb9u4_all.deb 8b74231713370ae512f1515fe3890a9ac101f641 687068 git-mediawiki_2.11.0-3+deb9u4_all.deb 7f5222e0ce24d1db91b4600ee3893a092b53f41d 756938 git-svn_2.11.0-3+deb9u4_all.deb 28a1ef770328854b4021e5fdabc8858362b18b36 12715 git_2.11.0-3+deb9u4_amd64.buildinfo b0eb028b414e87be981e0ce34c5ce31725509c26 4167194 git_2.11.0-3+deb9u4_amd64.deb 9151702e15febfd6cde397b65ca66cd8e0028a3c 798254 gitk_2.11.0-3+deb9u4_all.deb 64f756b3e6093408dd78002c6fb81ff594760cc4 676350 gitweb_2.11.0-3+deb9u4_all.deb Checksums-Sha256: ca0df7a6de443d3a19920a2b59c10a669928dee2929d03d060ed181ff9646e86 2944 git_2.11.0-3+deb9u4.dsc c9158b7c3446a0c9ed15f644a520494c3c675b46b2355b9c7e2b429a3ad0392f 554016 git_2.11.0-3+deb9u4.debian.tar.xz 29d8244774a22f5e1323373ec3e37e469a37155bc9e3beabdc448f0ca63d6422 672176 git-all_2.11.0-3+deb9u4_all.deb ed82c26f8620c522ded9585511ca882e680f5c1ddabba05a60e17e46d968f542 684808 git-arch_2.11.0-3+deb9u4_all.deb 7eb449fbdf1f487cfd36677cf7aa48dcd9bec61807c34f6942a37f7581c826aa 1414 git-core_2.11.0-3+deb9u4_all.deb 81dc02f8d645462a4ae72440c0663a7385405ca0b1f91e5748330a4e1a12fb2d 735392 git-cvs_2.11.0-3+deb9u4_all.deb 0265be8c852855f92652b5606a388ef3a45816895d6360e8b04f6cf8b6a86dd5 673700 git-daemon-run_2.11.0-3+deb9u4_all.deb d8d1b7a7622c172c6461035dbf29e8dffb59b4f6c06df22642644f79119c3250 674908 git-daemon-sysvinit_2.11.0-3+deb9u4_all.deb 22311df50847b4b48d6c9c65b9baf8df30fae6f64633a452f3cb793b466c02ec 30253392 git-dbgsym_2.11.0-3+deb9u4_amd64.deb d065902ca12a7b4323649ef2b1bdfe5229e364884fa1cc3da388897331251a69 1535066 git-doc_2.11.0-3+deb9u4_all.deb ccb28480d6a661746349b76cd0c7218bd84361266d1915aa13885dfed71b504a 691764 git-el_2.11.0-3+deb9u4_all.deb ee750d9eb728f48780e164791a7a255653f5aed1be8e63ed7eabfdf724333ab9 693958 git-email_2.11.0-3+deb9u4_all.deb e3cd47eb27d5bd9f8a58b26744c1c601c79b76be49fc703b554e98314c6890a9 881030 git-gui_2.11.0-3+deb9u4_all.deb 519acfcd975feb560d2648f76d8d19a89531933c2465083e8e9df5a1425a818c 1432878 git-man_2.11.0-3+deb9u4_all.deb 2a04881ad1d0a888812db7e69de7429b5ee5a700f08b0055875b1cb9c60eae89 687068 git-mediawiki_2.11.0-3+deb9u4_all.deb 7860fe37cc0d15596b73e4f2b0c022c3a1cc7428d5ca0e4a62d13e4c2b77ead6 756938 git-svn_2.11.0-3+deb9u4_all.deb 10624e06dcb8e391265214e8f43b35cde2eabbc445e5fedebdd6864778c71f3b 12715 git_2.11.0-3+deb9u4_amd64.buildinfo 584b7e2ab42ab5c195f56cd8cfd6b39be40831267ec55e9bfcbe1df9c2e3aa19 4167194 git_2.11.0-3+deb9u4_amd64.deb a7ac75a8596c5d476ee5b872325b9441d282ff7ab0ee4edaf95dca06f0245b48 798254 gitk_2.11.0-3+deb9u4_all.deb 3111db859d110428bf9813e8561c964a19286da50ddb5efe89181202aaba34ca 676350 gitweb_2.11.0-3+deb9u4_all.deb Files: 499e9465b4eaa98a4114f2c63bade042 2944 vcs optional git_2.11.0-3+deb9u4.dsc 31db61ffc47e311fcea1e3281672e1bb 554016 vcs optional git_2.11.0-3+deb9u4.debian.tar.xz 3be696a41234c87a86bf6f068f3e8c68 672176 vcs optional git-all_2.11.0-3+deb9u4_all.deb 24bd3dfc98a99883e74211f90176b3b1 684808 vcs optional git-arch_2.11.0-3+deb9u4_all.deb 89957b529b1fafabc0df8ec9107613c5 1414 vcs optional git-core_2.11.0-3+deb9u4_all.deb 95fdb1f9fdbc1191f6043b0160bd1c9f 735392 vcs optional git-cvs_2.11.0-3+deb9u4_all.deb 2d4ac0704c2a835c320d3ed9f6848748 673700 vcs optional git-daemon-run_2.11.0-3+deb9u4_all.deb 38bacb9f6aad0f3c5a9cdf86d6a1a0a5 674908 vcs extra git-daemon-sysvinit_2.11.0-3+deb9u4_all.deb ab4eb1cc6fa2469a9bdc6b558663b7c6 30253392 debug extra git-dbgsym_2.11.0-3+deb9u4_amd64.deb 0621cc30330feaf3a7cc5e0d104c95eb 1535066 doc optional git-doc_2.11.0-3+deb9u4_all.deb a9bb31fd9809137e106d84796b363384 691764 vcs optional git-el_2.11.0-3+deb9u4_all.deb 148ec53881b24bb3fd8ff07387433a6b 693958 vcs optional git-email_2.11.0-3+deb9u4_all.deb 74e1eb5d770144be8284eaf27d284c39 881030 vcs optional git-gui_2.11.0-3+deb9u4_all.deb d21eb4450a5e52bc6092f66318cd6701 1432878 doc optional git-man_2.11.0-3+deb9u4_all.deb 7f1fc4fba98d9f1a929da7ffb53c54d3 687068 vcs optional git-mediawiki_2.11.0-3+deb9u4_all.deb a5cd74af16d43474c6416254bd441243 756938 vcs optional git-svn_2.11.0-3+deb9u4_all.deb 49cd9dd981c7dd0dc3fc4ff0cc2f26c3 12715 vcs optional git_2.11.0-3+deb9u4_amd64.buildinfo d0d5ababd78eed88947bb861df975649 4167194 vcs optional git_2.11.0-3+deb9u4_amd64.deb c8d0eeff4ba585e6318a46cf57825d09 798254 vcs optional gitk_2.11.0-3+deb9u4_all.deb 19b8f5e91ea2cd6f0e45a699fad066e6 676350 vcs optional gitweb_2.11.0-3+deb9u4_all.deb -----BEGIN PGP SIGNATURE----- iQJHBAEBCAAxFiEEUh5Y8X6W1xKqD/EC38Zx7rMz+iUFAlu1jGMTHGpybmllZGVy QGdtYWlsLmNvbQAKCRDfxnHuszP6JVSDEACE24/+Uf15KpVlNIFfnndRJ9rKpH2+ oWmv9SUU3Vy+NFiXYUY7x09+THi/oI1Wr4laCSLyq/oZBiXST0aeZXLeKNFtBFct 38gijg11CX+8lJn8T+Wx0oX9Ib430T5HEOMdERkpGiY9ll3bh9ukRcnIjlIrasCq O2gOU1o6B06K40/hgzkBGGXzUAEWUIol+FUAA28o9YUWrJQYgwzxZ/WvDFH8WQ0t V8Xe+GwTvm2zLCCEDx6+ARnQfzBh3BetzjSmDoSS44kq8eqomdiu6/duYa7+oIQp hFeWJ84K3swpz5rEwQInOdQqKAKSs/4ebVy25bgR5nA6NP+YtJ7GjGFJX5Um9jSe CU+bPrM9R4O3D3kYk0QlfRjcMKyPUZ+llQuy+fdvnCbKa9MBaVOQWbISXGO6JjQR MG0Kbu062+Aqf74PbFWbxy7rnR6h5vtVI5tY2raqzFrbhQ45nR9YD/7U+imkg6l3 rF53TA+B6kgzDcSVrnV2cLRQhtP1RBqi0Qhp8CSzmWUN3WnFb6UJiBslDfI38U7D kedN+SzvNl8IgxO6QfIuPgdJ8suZHBEYLMNO4B7ves+3OnWbWxFVBp/a3ItrQYk4 mE5EHXhzGjDYfFhof6A/yQE3RWNId/B1VzfeUNakLkaUCtJmrOnPJBhx4Fxc0rv9 XwVJWUg7bpY7Kw== =qMom -----END PGP SIGNATURE-----