An advisory has been issued today (September 26):
Updated packages uploaded for Mageia 6 and Cauldron. Mageia 5 is not affected.
Fedora has issued an advisory for this on September 28:
CVE-2017-14867 has been assigned for this:
Git cvsserver OS Command Injection =>
Git cvsserver OS Command Injection (CVE-2017-14867)
Installed the update candidate and git works OK on my end. I haven't checked if there's a PoC to reproduce, but given that this update has been stalled for a month I think we can go ahead.
Advisory uploaded as:
subject: Updated git packages fix security vulnerability
The `git` subcommand `cvsserver` is a Perl script which makes excessive
use of the backtick operator to invoke `git`. Unfortunately user input
is used within some of those invocations, which can be a OS Command
Injection vulnerability (CVE-2017-14867).
MGA6-64-OK advisory =>
An update for this issue has been pushed to the Mageia Updates repository.