An advisory has been issued today (September 26): http://openwall.com/lists/oss-security/2017/09/26/9 Updated packages uploaded for Mageia 6 and Cauldron. Mageia 5 is not affected. git-2.13.6-1.mga6 git-core-2.13.6-1.mga6 gitk-2.13.6-1.mga6 libgit-devel-2.13.6-1.mga6 git-svn-2.13.6-1.mga6 git-cvs-2.13.6-1.mga6 git-arch-2.13.6-1.mga6 git-email-2.13.6-1.mga6 perl-Git-2.13.6-1.mga6 perl-Git-SVN-2.13.6-1.mga6 git-core-oldies-2.13.6-1.mga6 gitweb-2.13.6-1.mga6 git-prompt-2.13.6-1.mga6 from git-2.13.6-1.mga6.src.rpm
Fedora has issued an advisory for this on September 28: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ODJU26XWYQUE2Z65OUK5EVPC74VRIAPM/
CVE-2017-14867 has been assigned for this: http://openwall.com/lists/oss-security/2017/09/28/7
Summary: Git cvsserver OS Command Injection => Git cvsserver OS Command Injection (CVE-2017-14867)
Installed the update candidate and git works OK on my end. I haven't checked if there's a PoC to reproduce, but given that this update has been stalled for a month I think we can go ahead.
Whiteboard: (none) => MGA6-64-OK
Advisory uploaded as: type: security subject: Updated git packages fix security vulnerability CVE: - CVE-2017-14867 src: 6: core: - git-2.13.6-1.mga6 description: | The `git` subcommand `cvsserver` is a Perl script which makes excessive use of the backtick operator to invoke `git`. Unfortunately user input is used within some of those invocations, which can be a OS Command Injection vulnerability (CVE-2017-14867). references: - https://bugs.mageia.org/show_bug.cgi?id=21774 - http://openwall.com/lists/oss-security/2017/09/26/9
Whiteboard: MGA6-64-OK => MGA6-64-OK advisory
Whiteboard: MGA6-64-OK advisory => MGA6-64-OKKeywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0404.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED