Bug 21503 - git new security issue CVE-2017-1000117
Summary: git new security issue CVE-2017-1000117
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO advisory MGA6-64-OK MGA5-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-08-12 00:28 CEST by David Walser
Modified: 2017-08-14 00:20 CEST (History)
4 users (show)

See Also:
Source RPM: git-2.13.3-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-08-12 00:28:06 CEST
A security issue fixed upstream in git has hit the press:
http://www.esecurityplanet.com/threats/git-svn-and-mercurial-open-source-version-control-systems-update-for-critical-security-vulnerability.html

The issue is fixed in 2.13.5 and 2.14.1 (already in Cauldron).

Mageia 5 is probably also affected.
Comment 1 David Walser 2017-08-12 03:01:38 CEST
Debian has issued an advisory for this on August 10:
https://www.debian.org/security/2017/dsa-3934

Updated packages uploaded for Mageia 5 and Mageia 6.

Advisory:
========================

Updated git packages fix security vulnerability:

Joern Schneeweisz discovered that git, a distributed revision control system,
did not correctly handle maliciously constructed ssh:// URLs. This allowed an
attacker to run an arbitrary shell command, for instance via git submodules
(CVE-2017-1000117).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000117
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.5.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.6.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.13.4.txt
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.13.5.txt
https://www.debian.org/security/2017/dsa-3934
========================

Updated packages in core/updates_testing:
========================
git-2.7.6-1.mga5
git-core-2.7.6-1.mga5
gitk-2.7.6-1.mga5
gitview-2.7.6-1.mga5
libgit-devel-2.7.6-1.mga5
git-svn-2.7.6-1.mga5
git-cvs-2.7.6-1.mga5
git-arch-2.7.6-1.mga5
git-email-2.7.6-1.mga5
perl-Git-2.7.6-1.mga5
git-core-oldies-2.7.6-1.mga5
gitweb-2.7.6-1.mga5
git-prompt-2.7.6-1.mga5
git-2.13.5-1.mga6
git-core-2.13.5-1.mga6
gitk-2.13.5-1.mga6
libgit-devel-2.13.5-1.mga6
git-svn-2.13.5-1.mga6
git-cvs-2.13.5-1.mga6
git-arch-2.13.5-1.mga6
git-email-2.13.5-1.mga6
perl-Git-2.13.5-1.mga6
perl-Git-SVN-2.13.5-1.mga6
git-core-oldies-2.13.5-1.mga6
gitweb-2.13.5-1.mga6
git-prompt-2.13.5-1.mga6

from SRPMS:
git-2.7.6-1.mga5.src.rpm
git-2.13.5-1.mga6.src.rpm

Whiteboard: (none) => MGA5TOO
Assignee: tmb => qa-bugs

Lewis Smith 2017-08-13 10:18:38 CEST

Whiteboard: MGA5TOO => MGA5TOO advisory

nathan giovannini 2017-08-13 14:12:34 CEST

CC: (none) => nathan95
Whiteboard: MGA5TOO advisory => MGA5TOO advisory MGA6-64-OK

Comment 2 PC LX 2017-08-13 19:00:08 CEST
Installed and tested without issues. Tested on local and remove repositories, including github repositories.

$ uname -a
Linux marte 4.4.79-desktop-1.mga5 #1 SMP Fri Jul 28 02:50:06 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | egrep -i '^git|libgit|perl-git' | sort
git-2.7.6-1.mga5
git-arch-2.7.6-1.mga5
git-core-2.7.6-1.mga5
git-core-oldies-2.7.6-1.mga5
git-cvs-2.7.6-1.mga5
git-email-2.7.6-1.mga5
gitk-2.7.6-1.mga5
git-prompt-2.7.6-1.mga5
git-svn-2.7.6-1.mga5
perl-Git-2.7.6-1.mga5

Whiteboard: MGA5TOO advisory MGA6-64-OK => MGA5TOO advisory MGA6-64-OK MGA5-64-OK
CC: (none) => mageia

Comment 3 Lewis Smith 2017-08-13 20:42:52 CEST
Validating under our temporary short-cut policy: 1 OK per release OK here.

Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 4 Mageia Robot 2017-08-14 00:20:20 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0266.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.