Upstream has issued an advisory today (December 18):
Github has some info on this too:
The issue is fixed upstream in 220.127.116.11 and 2.2.1, which are checked into SVN.
Freeze push requested for Cauldron.
Steps to Reproduce:
Updated packages uploaded for Mageia 4 and Cauldron.
Updated git packages fix security vulnerability:
It was reported that git, when used as a client on a case-insensitive
filesystem, could allow the overwrite of the .git/config file when the client
performed a "git pull". Because git permitted committing .Git/config (or any
case variation), on the pull this would replace the user's .git/config. If
this malicious config file contained defined external commands (such as for
invoking and editor or an external diff utility) it could allow for the
execution of arbitrary code with the privileges of the user running the git
Updated packages in core/updates_testing:
Philippe, just FYI, this issue also affects mercurial:
It's technically a non-issue for Linux. However, what the git people said in their announcement made it sound like updating it on Linux protects any users using that server (not 100% sure if that's right, but it would make sense), which is why I updated git. I'll let you decide about mercurial.
Testing on Mageia4x32 real hardware
Following procedure from Claire here :
As mageia uses a case-sensitive system, I gathered I just had to verify git update could install well and run as before.
From current package :
Made some configurations first to be able to follow procedure
$ git config --global user.email firstname.lastname@example.org
$ git config --global user.name zitounu
and added :
folder = "INBOX"
host = imaps://imap.gmail.com
user = email@example.com
port = 993
sslverify = false
Following procedure could initialize a repository, add a message, make some changes and send (and receive) messages through gmail.
Updated to testing packages :
Could find previous repository, add message, send it.
has_procedure MGA4-32-OK =>
has_procedure MGA4-32-OK advisory
MGA4-64 on HP Probook 6555b
Installation no problem.
Managed to create a repository and commit a file in it, but there stops my git experience.
Testing complete mga4 64
and did a pull from github
Validating. Please push to updates. Thanks
has_procedure MGA4-32-OK advisory =>
has_procedure MGA4-32-OK mga4-64-ok advisoryCC:
An update for this issue has been pushed to Mageia Updates repository.