Bug 24058 - git new security issue CVE-2018-19486
Summary: git new security issue CVE-2018-19486
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-12-25 20:29 CET by David Walser
Modified: 2019-06-21 03:08 CEST (History)
4 users (show)

See Also:
Source RPM: git-2.13.7-1.2.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-12-25 20:29:18 CET
Fedora has issued an advisory on November 28:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SIQD4R3AXAVLC7I56GWWF23JHSCDSW2J/

The issue is fixed upstream in 2.19.2.
Comment 1 Frédéric "LpSolit" Buclin 2019-05-19 14:36:37 CEST
There is no activity on this bug despite it's marked security + critical. What's missing?
Comment 2 Thomas Backlund 2019-05-21 11:57:00 CEST
Maintainer time...

SRPM:
git-2.13.7-1.3.mga6.src.rpm

i586:
git-2.13.7-1.3.mga6.i586.rpm
git-arch-2.13.7-1.3.mga6.i586.rpm
git-core-2.13.7-1.3.mga6.i586.rpm
git-core-oldies-2.13.7-1.3.mga6.i586.rpm
git-cvs-2.13.7-1.3.mga6.i586.rpm
git-email-2.13.7-1.3.mga6.i586.rpm
gitk-2.13.7-1.3.mga6.i586.rpm
git-prompt-2.13.7-1.3.mga6.i586.rpm
git-svn-2.13.7-1.3.mga6.i586.rpm
gitweb-2.13.7-1.3.mga6.i586.rpm
libgit-devel-2.13.7-1.3.mga6.i586.rpm
perl-Git-2.13.7-1.3.mga6.i586.rpm
perl-Git-SVN-2.13.7-1.3.mga6.i586.rpm

x86_64:
git-2.13.7-1.3.mga6.x86_64.rpm
git-arch-2.13.7-1.3.mga6.x86_64.rpm
git-core-2.13.7-1.3.mga6.x86_64.rpm
git-core-oldies-2.13.7-1.3.mga6.x86_64.rpm
git-cvs-2.13.7-1.3.mga6.x86_64.rpm
git-email-2.13.7-1.3.mga6.x86_64.rpm
gitk-2.13.7-1.3.mga6.x86_64.rpm
git-prompt-2.13.7-1.3.mga6.x86_64.rpm
git-svn-2.13.7-1.3.mga6.x86_64.rpm
gitweb-2.13.7-1.3.mga6.x86_64.rpm
lib64git-devel-2.13.7-1.3.mga6.x86_64.rpm
perl-Git-2.13.7-1.3.mga6.x86_64.rpm
perl-Git-SVN-2.13.7-1.3.mga6.x86_64.rpm

Assignee: tmb => qa-bugs

Comment 3 PC LX 2019-05-22 13:25:44 CEST
Installed and tested without issues.

Tests included local and remote (HTTPS, SSH) repositories and usual operation (e.g. init, clone, status, diff, add, commit, push, pull, stash).

System: Mageia 6, x86_64, Intel CPU.

$ uname -a
Linux marte 4.14.119-desktop-1.mga6 #1 SMP Tue May 14 19:26:16 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep -i git | grep -v .git | sort
git-2.13.7-1.3.mga6
git-arch-2.13.7-1.3.mga6
git-core-2.13.7-1.3.mga6
git-core-oldies-2.13.7-1.3.mga6
git-cvs-2.13.7-1.3.mga6
git-email-2.13.7-1.3.mga6
gitk-2.13.7-1.3.mga6
git-prompt-2.13.7-1.3.mga6
git-svn-2.13.7-1.3.mga6
perl-Git-2.13.7-1.3.mga6
perl-Git-SVN-2.13.7-1.3.mga6

CC: (none) => mageia
Whiteboard: (none) => MGA6-64-OK

Comment 4 PC LX 2019-06-04 15:50:42 CEST
Have been using this update for about two weeks without issues. I would be good to have more people testing but I think its time to push this forward. I can write an advisory if no one objects.
Comment 5 Thomas Andrews 2019-06-21 02:16:20 CEST
Validating. I have no objection to PC LX writing a suggested advisory.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2019-06-21 02:24:48 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 6 Mageia Robot 2019-06-21 03:08:22 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0199.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.