Some details on security issues fixed in git 2.7.1 were released today (March 15): http://openwall.com/lists/oss-security/2016/03/15/5 The commit 34fa79a they mention never made it into the 2.3.10 release, which we have in Mageia 5, and commits were not listed for the fixes in 2.7.1 that fully fixed these issues. The 2.3 branch has not had any more releases. I'd guess we just need to update to 2.7.3, but I don't know if updating Mageia 5 to the 2.7 branch would cause any issues.
CC: (none) => mageia, thierry.vignaud, tmb
Personally, I don't think we need to worry about updating to 2.7.3. I've generally followed cauldron and work quite a lot with various git repos and never had an issue. I vote we just update MGA5 to latest version. Any objections? Note we should also rebuild/update cgit as part of this change too (I think it's already updated to newer git in MGA5 but probably still needs updating - and at very least checked).
Thanks for the reminder about cgit. I suspect updating to 2.7.3 should be just fine as well.
I support updating to git-2.7.3 as well.
(In reply to David Walser from comment #2) > Thanks for the reminder about cgit. I suspect updating to 2.7.3 should be > just fine as well. Can I proceed with upgrading git to 2.7.3 in Mageia v5? There seems to be a consensus that it's the best way. Regards, -- Shlomi Fish
Thanks Shlomi. Yes, please proceed. Colin, would you mind taking care of cgit?
(In reply to David Walser from comment #5) > Colin, would you mind taking care of cgit? Will do!
cgit-0.12-1.2.mga5 on it's way to updates_testing
git-2.7.3-1.mga5 was submitted to 5 core/updates_testing.
Thanks Shlomi and Colin! Advisory: ======================== Updated git and cgit packages fix security vulnerabilities: There is a buffer overflow vulnerability possibly leading to remote code execution in git. It can happen while pushing or cloning a repository with a large filename or a large number of nested trees (CVE-2016-2315, CVE-2016-2324). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2315 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2324 https://bugzilla.redhat.com/show_bug.cgi?id=1317981 http://openwall.com/lists/oss-security/2016/03/15/5 ======================== Updated packages in core/updates_testing: ======================== git-2.7.3-1.mga5 git-core-2.7.3-1.mga5 gitk-2.7.3-1.mga5 gitview-2.7.3-1.mga5 libgit-devel-2.7.3-1.mga5 git-svn-2.7.3-1.mga5 git-cvs-2.7.3-1.mga5 git-arch-2.7.3-1.mga5 git-email-2.7.3-1.mga5 perl-Git-2.7.3-1.mga5 git-core-oldies-2.7.3-1.mga5 gitweb-2.7.3-1.mga5 git-prompt-2.7.3-1.mga5 cgit-0.12-1.1.mga5 from SRPMS: git-2.7.3-1.mga5.src.rpm cgit-0.12-1.1.mga5.src.rpm
CC: (none) => shlomifAssignee: shlomif => qa-bugs
Severity: normal => critical
Here is a good explanation of the security issues: http://www.theregister.co.uk/2016/03/16/git_server_client_patch_now/
More fleshed out advisory. Advisory: ======================== Updated git and cgit packages fix security vulnerabilities: There is a buffer overflow vulnerability possibly leading to remote code execution in git. It can happen while pushing or cloning a repository with a large filename or a large number of nested trees (CVE-2016-2315, CVE-2016-2324). The git package has been updated to version 2.7.3, which fixes this issue, as well as several other bugs. The cgit package bundles git, and its bundled copy of git has also been updated to version 2.7.3. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2315 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2324 https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.4.0.txt https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.5.0.txt https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.6.0.txt https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.6.2.txt https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.6.3.txt https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.6.4.txt https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.0.txt https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.1.txt https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.2.txt https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.3.txt https://bugzilla.redhat.com/show_bug.cgi?id=1317981 http://openwall.com/lists/oss-security/2016/03/15/5
The original reporter just pointed out that even 2.7.3 didn't include the CVE-2016-2324 fix(es), so we need to update these again: http://openwall.com/lists/oss-security/2016/03/16/9 Hopefully 2.7.4 will be rolled out soon!
Whiteboard: (none) => feedback
URL: (none) => http://lwn.net/Vulnerabilities/680320/
git 2.7.4 is now available. Please update git and cgit again. https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.4.txt
If anyone wants to try a reproducer, see here: http://openwall.com/lists/oss-security/2016/03/18/1 I don't think it's necessary for testing the update, but it's there for the curious.
Updated (again) packages uploaded for Mageia 5 and Cauldron. Thanks Shlomi for the git update. Advisory: ======================== Updated git and cgit packages fix security vulnerabilities: There is a buffer overflow vulnerability possibly leading to remote code execution in git. It can happen while pushing or cloning a repository with a large filename or a large number of nested trees (CVE-2016-2315, CVE-2016-2324). The git package has been updated to version 2.7.4, which fixes this issue, as well as several other bugs. The cgit package bundles git, and its bundled copy of git has also been updated to version 2.7.4. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2315 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2324 https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.4.0.txt https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.5.0.txt https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.6.0.txt https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.6.2.txt https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.6.3.txt https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.6.4.txt https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.0.txt https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.1.txt https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.2.txt https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.3.txt https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.4.txt https://bugzilla.redhat.com/show_bug.cgi?id=1317981 http://openwall.com/lists/oss-security/2016/03/15/5 http://openwall.com/lists/oss-security/2016/03/16/9 ======================== Updated packages in core/updates_testing: ======================== git-2.7.4-1.mga5 git-core-2.7.4-1.mga5 gitk-2.7.4-1.mga5 gitview-2.7.4-1.mga5 libgit-devel-2.7.4-1.mga5 git-svn-2.7.4-1.mga5 git-cvs-2.7.4-1.mga5 git-arch-2.7.4-1.mga5 git-email-2.7.4-1.mga5 perl-Git-2.7.4-1.mga5 git-core-oldies-2.7.4-1.mga5 gitweb-2.7.4-1.mga5 git-prompt-2.7.4-1.mga5 cgit-0.12-1.2.mga5 from SRPMS: git-2.7.4-1.mga5.src.rpm cgit-0.12-1.2.mga5.src.rpm
Whiteboard: feedback => (none)
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
MGA5-32 on Acer D620 Xfce No installation issues I created a new account (didn't have one before) and put three files in hello-world and cloned this one along the lines of the procedure in bug16913. Seems to work OK.
CC: (none) => herman.viaeneWhiteboard: advisory => advisory MGA5-32-OK
Validating. Advisory is current.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0119.html
Status: NEW => RESOLVEDResolution: (none) => FIXED