Bug 26516 - git new security issue CVE-2020-11008
Summary: git new security issue CVE-2020-11008
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-04-21 00:36 CEST by David Walser
Modified: 2020-04-24 19:05 CEST (History)
3 users (show)

See Also:
Source RPM: git-2.21.2-1.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-04-21 00:36:08 CEST 
A security issue fixed upstream in Git has been announced today (April 20):
https://www.openwall.com/lists/oss-security/2020/04/20/1

The upstream advisory is here:
https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7

The issue is fixed upstream in 2.21.3 and 2.26.2.

Thomas Backlund has already built the updates.

Updated packages for Mageia 7:
git-2.21.3-1.mga7
git-core-2.21.3-1.mga7
gitk-2.21.3-1.mga7
libgit-devel-2.21.3-1.mga7
git-subtree-2.21.3-1.mga7
git-svn-2.21.3-1.mga7
git-cvs-2.21.3-1.mga7
git-arch-2.21.3-1.mga7
git-email-2.21.3-1.mga7
perl-Git-2.21.3-1.mga7
perl-Git-SVN-2.21.3-1.mga7
git-core-oldies-2.21.3-1.mga7
gitweb-2.21.3-1.mga7
git-prompt-2.21.3-1.mga7

from git-2.21.3-1.mga7.src.rpm
David Walser 2020-04-21 00:36:21 CEST

CC: (none) => tmb

Comment 1 Herman Viaene 2020-04-22 14:39:52 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Deleted -git folder from previous test bug 26483
$ git init
Initialized empty Git repository in /home/tester7/.git/
[tester7@mach5 ~]$ git config --global user.name "tester7"
[tester7@mach5 ~]$ git config --global user.email "herman.viaene@hotmail.be"
[tester7@mach5 ~]$ git add ~/Documents/okra/zwemmen.ods 
[tester7@mach5 ~]$ git branch
[tester7@mach5 ~]$ git show
fatal: your current branch 'master' does not have any commits yet
[tester7@mach5 ~]$ git commit
[master (root-commit) df3b657]  new file:   Documents/okra/zwemmen.ods
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 Documents/okra/zwemmen.ods
[tester7@mach5 ~]$ git show
commit df3b6578b02040a588ea5aa325f8bd405252804e (HEAD -> master)
Author: tester7 <herman.viaene@hotmail.be>
Date:   Wed Apr 22 14:27:07 2020 +0200

            new file:   Documents/okra/zwemmen.ods

diff --git a/Documents/okra/zwemmen.ods b/Documents/okra/zwemmen.ods
new file mode 100644
index 0000000..f7f7b7e
Binary files /dev/null and b/Documents/okra/zwemmen.ods differ

Remark: the "master" does not appear in the prompt after the init. I don't know whether this is really important, but I guess it should be there.

CC: (none) => herman.viaene

Comment 2 David Walser 2020-04-23 20:33:35 CEST 
Debian and Ubuntu have issued advisories for this on April 20 and 21:
https://www.debian.org/security/2020/dsa-4659
https://usn.ubuntu.com/4334-1/

Severity: normal => major

Thomas Backlund 2020-04-24 18:23:00 CEST

Whiteboard: (none) => MGA7-64-OK
CC: (none) => sysadmin-bugs
Keywords: (none) => advisory, validated_update

Comment 3 Mageia Robot 2020-04-24 19:05:42 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0181.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.