Accepting request 515991 from devel:tools:scm
git 2.14.1 (bsc#1052481) CVE-2017-1000117 OBS-URL: https://build.opensuse.org/request/show/515991 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/git?expand=0&rev=202
This commit is contained in:
parent
8030e85820
commit
069d918659
Binary file not shown.
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:f93e6e6a307d2e953cccafd9f4003c62992628fa508d07586476c953c1655975
|
|
||||||
size 4790932
|
|
BIN
git-2.14.1.tar.sign
Normal file
BIN
git-2.14.1.tar.sign
Normal file
Binary file not shown.
3
git-2.14.1.tar.xz
Normal file
3
git-2.14.1.tar.xz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:6f724c6d0e9e13114ab35db6f67e1b2c1934b641e89366e6a0e37618231f2cc6
|
||||||
|
size 4791876
|
25
git.changes
25
git.changes
@ -1,3 +1,28 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Aug 10 19:19:07 UTC 2017 - astieger@suse.com
|
||||||
|
|
||||||
|
- git 2.14.1 (bsc#1052481):
|
||||||
|
* Security fix for CVE-2017-1000117: A malicious third-party can
|
||||||
|
give a crafted "ssh://..." URL to an unsuspecting victim, and
|
||||||
|
an attempt to visit the URL can result in any program that
|
||||||
|
exists on the victim's machine being executed. Such a URL could
|
||||||
|
be placed in the .gitmodules file of a malicious project, and
|
||||||
|
an unsuspecting victim could be tricked into running
|
||||||
|
"git clone --recurse-submodules" to trigger the vulnerability.
|
||||||
|
* A "ssh://..." URL can result in a "ssh" command line with a
|
||||||
|
hostname that begins with a dash "-", which would cause the
|
||||||
|
"ssh" command to instead (mis)treat it as an option. This is
|
||||||
|
now prevented by forbidding such a hostname (which should not
|
||||||
|
impact any real-world usage).
|
||||||
|
* Similarly, when GIT_PROXY_COMMAND is configured, the command
|
||||||
|
is run with host and port that are parsed out from "ssh://..."
|
||||||
|
URL; a poorly written GIT_PROXY_COMMAND could be tricked into
|
||||||
|
treating a string that begins with a dash "-" as an option.
|
||||||
|
This is now prevented by forbidding such a hostname and port
|
||||||
|
number (again, which should not impact any real-world usage).
|
||||||
|
* In the same spirit, a repository name that begins with a dash
|
||||||
|
"-" is also forbidden now.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Sat Aug 5 14:23:43 UTC 2017 - astieger@suse.com
|
Sat Aug 5 14:23:43 UTC 2017 - astieger@suse.com
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user