Описание
Security update for git
This update for git to version 2.13.6 fixes the following issues:
- CVE-2017-14867: Various Perl scripts did not use safe_pipe_capture() instead of backticks, leaving them susceptible to end-user input (boo#1061041)
As an additional measure, 'git cvsserver' no longer is invoked by 'git daemon' by default.
Список пакетов
openSUSE Leap 42.3
git-2.13.6-7.1
git-arch-2.13.6-7.1
git-core-2.13.6-7.1
git-credential-gnome-keyring-2.13.6-7.1
git-cvs-2.13.6-7.1
git-daemon-2.13.6-7.1
git-doc-2.13.6-7.1
git-email-2.13.6-7.1
git-gui-2.13.6-7.1
git-svn-2.13.6-7.1
git-web-2.13.6-7.1
gitk-2.13.6-7.1
Ссылки
- E-Mail link for openSUSE-SU-2017:2614-1
- SUSE Security Ratings
Описание
Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.
Затронутые продукты
openSUSE Leap 42.3:git-2.13.6-7.1
openSUSE Leap 42.3:git-arch-2.13.6-7.1
openSUSE Leap 42.3:git-core-2.13.6-7.1
openSUSE Leap 42.3:git-credential-gnome-keyring-2.13.6-7.1
Ссылки
- CVE-2017-14867
- SUSE Bug 1060377
- SUSE Bug 1060378
- SUSE Bug 1061041