A security issue fixed upstream in git has hit the press: http://www.esecurityplanet.com/threats/git-svn-and-mercurial-open-source-version-control-systems-update-for-critical-security-vulnerability.html The issue is fixed in 2.13.5 and 2.14.1 (already in Cauldron). Mageia 5 is probably also affected.
Debian has issued an advisory for this on August 10: https://www.debian.org/security/2017/dsa-3934 Updated packages uploaded for Mageia 5 and Mageia 6. Advisory: ======================== Updated git packages fix security vulnerability: Joern Schneeweisz discovered that git, a distributed revision control system, did not correctly handle maliciously constructed ssh:// URLs. This allowed an attacker to run an arbitrary shell command, for instance via git submodules (CVE-2017-1000117). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000117 https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.5.txt https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.7.6.txt https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.13.4.txt https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.13.5.txt https://www.debian.org/security/2017/dsa-3934 ======================== Updated packages in core/updates_testing: ======================== git-2.7.6-1.mga5 git-core-2.7.6-1.mga5 gitk-2.7.6-1.mga5 gitview-2.7.6-1.mga5 libgit-devel-2.7.6-1.mga5 git-svn-2.7.6-1.mga5 git-cvs-2.7.6-1.mga5 git-arch-2.7.6-1.mga5 git-email-2.7.6-1.mga5 perl-Git-2.7.6-1.mga5 git-core-oldies-2.7.6-1.mga5 gitweb-2.7.6-1.mga5 git-prompt-2.7.6-1.mga5 git-2.13.5-1.mga6 git-core-2.13.5-1.mga6 gitk-2.13.5-1.mga6 libgit-devel-2.13.5-1.mga6 git-svn-2.13.5-1.mga6 git-cvs-2.13.5-1.mga6 git-arch-2.13.5-1.mga6 git-email-2.13.5-1.mga6 perl-Git-2.13.5-1.mga6 perl-Git-SVN-2.13.5-1.mga6 git-core-oldies-2.13.5-1.mga6 gitweb-2.13.5-1.mga6 git-prompt-2.13.5-1.mga6 from SRPMS: git-2.7.6-1.mga5.src.rpm git-2.13.5-1.mga6.src.rpm
Whiteboard: (none) => MGA5TOOAssignee: tmb => qa-bugs
Whiteboard: MGA5TOO => MGA5TOO advisory
CC: (none) => nathan95Whiteboard: MGA5TOO advisory => MGA5TOO advisory MGA6-64-OK
Installed and tested without issues. Tested on local and remove repositories, including github repositories. $ uname -a Linux marte 4.4.79-desktop-1.mga5 #1 SMP Fri Jul 28 02:50:06 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | egrep -i '^git|libgit|perl-git' | sort git-2.7.6-1.mga5 git-arch-2.7.6-1.mga5 git-core-2.7.6-1.mga5 git-core-oldies-2.7.6-1.mga5 git-cvs-2.7.6-1.mga5 git-email-2.7.6-1.mga5 gitk-2.7.6-1.mga5 git-prompt-2.7.6-1.mga5 git-svn-2.7.6-1.mga5 perl-Git-2.7.6-1.mga5
Whiteboard: MGA5TOO advisory MGA6-64-OK => MGA5TOO advisory MGA6-64-OK MGA5-64-OKCC: (none) => mageia
Validating under our temporary short-cut policy: 1 OK per release OK here.
Keywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0266.html
Status: NEW => RESOLVEDResolution: (none) => FIXED