A CVE was requested for a fix in git 2.3.10 and 2.6.1: http://openwall.com/lists/oss-security/2015/10/06/1 git 2.3.9 and 2.3.10 also contain fixes for potential overflow issues. Updated packages uploaded for Mageia 5 and Cauldron. Advisory: ---------------------------------------- The git package has been updated to version 2.3.10, fixing a few security issues. These include buffer and integer overflow issues with long file path names and large files, as well as a remote code execution flaw with some protocols like git-remote-ext and specially crafted URLs. See the upstream release notes for details. References: https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.3.9.txt https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.3.10.txt ---------------------------------------- Updated packages in core/updates_testing: ---------------------------------------- git-2.3.10-1.mga5 git-core-2.3.10-1.mga5 gitk-2.3.10-1.mga5 gitview-2.3.10-1.mga5 libgit-devel-2.3.10-1.mga5 git-svn-2.3.10-1.mga5 git-cvs-2.3.10-1.mga5 git-arch-2.3.10-1.mga5 git-email-2.3.10-1.mga5 perl-Git-2.3.10-1.mga5 git-core-oldies-2.3.10-1.mga5 gitweb-2.3.10-1.mga5 git-prompt-2.3.10-1.mga5 from git-2.3.10-1.mga5.src.rpm Reproducible: Steps to Reproduce:
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
Since there was no Proof-of-Concept , I just tested normal git use in an x86-64 VM. Adding MGA5-64-OK . I'll attach the output of the script file (possibly useful as a future procedure) soon.
CC: (none) => shlomifWhiteboard: advisory => advisory MGA5-64-OK
Created attachment 7111 [details] The Git test procedure that I used in the output of the script command.
Can anyone verify that Bug 16861 does not affect this update?
(In reply to David Walser from comment #3) > Can anyone verify that Bug 16861 does not affect this update? git works fine in an English locale, and from what I know , gitk is not necessary to use git, so it seems like a separate issue.
Validating. Thanks.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0396.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/660668/
(In reply to David Walser from comment #0) > as well as a remote code execution flaw with some protocols like > git-remote-ext and specially crafted URLs This issue has been assigned CVE-2015-7545: http://openwall.com/lists/oss-security/2015/12/08/5
Summary: git 2.3.10 security update => git 2.3.10 security update (including CVE-2015-7545)