OpenSuSE has issued an advisory on March 1: http://lists.opensuse.org/opensuse-updates/2013-03/msg00005.html Cauldron is not affected, as it's fixed upstream in 1.8.1.4. Patched package uploaded for Mageia 2. Patches added in Mageia 1 SVN. Advisory: ======================== Updated git packages fix security vulnerability: It was discovered that Git's git-imap-send command, a tool to send a collection of patches from standard input (stdin) to an IMAP folder, did not properly perform SSL X.509 v3 certificate validation on the IMAP server's certificate, as it did not ensure that the server's hostname matched the one provided in the CN field of the server's certificate. A rogue server could use this flaw to conduct man-in-the-middle attacks, possibly leading to the disclosure of sensitive information (CVE-2013-0308). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0308 https://rhn.redhat.com/errata/RHSA-2013-0589.html ======================== Updated packages in core/updates_testing: ======================== git-1.7.10-1.1.mga2 git-core-1.7.10-1.1.mga2 gitk-1.7.10-1.1.mga2 gitview-1.7.10-1.1.mga2 libgit-devel-1.7.10-1.1.mga2 git-svn-1.7.10-1.1.mga2 git-cvs-1.7.10-1.1.mga2 git-arch-1.7.10-1.1.mga2 git-email-1.7.10-1.1.mga2 perl-Git-1.7.10-1.1.mga2 python-git-1.7.10-1.1.mga2 git-core-oldies-1.7.10-1.1.mga2 gitweb-1.7.10-1.1.mga2 git-prompt-1.7.10-1.1.mga2 from git-1.7.10-1.1.mga2.src.rpm Reproducible: Steps to Reproduce:
Severity: normal => major
git-imap-send man page gives useful information for testing. Online here: https://www.kernel.org/pub/software/scm/git/docs/git-imap-send.html
man gittutorial is helpful for general git. https://www.kernel.org/pub/software/scm/git/docs/gittutorial.html Before ------ $ mkdir git-test $ cd git-test $ echo "This is QA test number" > qatest.txt $ git init Initialized empty Git repository in /home/claire/git-test/.git/ $ git add . $ git commit <opens vi text editor, press i to enter insert mode and type the commit message, then press escape and :x to save it> [master (root-commit) 0987a79] First Commit 1 file changed, 1 insertion(+) create mode 100644 qatest.txt $ echo "one" >> qatest.txt $ git add qatest.txt $ git diff --cached diff --git a/qatest.txt b/qatest.txt index 5c4bf19..b21084e 100644 --- a/qatest.txt +++ b/qatest.txt @@ -1 +1,2 @@ This is QA test number +one <Press q to quit> $ git commit [master d127413] Second commit 1 file changed, 1 insertion(+) $ git format-patch --cover-letter -M --stdout --root d127413 | git imap-send Resolving imap.gmail.com... ok Connecting to [173.194.78.109]:993... ok Logging in... sending 3 messages 100% (3/3) done Enter email password when it asks for SSH password. Found the 3 messages in [Google Mail]/Drafts folder using thunderbird. After ----- $ echo "two" >> qatest.txt $ git add qatest.txt $ git commit [master cb14306] third and final commit 1 file changed, 1 insertion(+) $ git format-patch --cover-letter -M --stdout --root cb14306 | git imap-send Resolving imap.gmail.com... ok Connecting to [173.194.66.108]:993... ok Logging in... sending 4 messages 100% (4/4) done Found the new messages with thunderbird. Testing complete mga2 64
Whiteboard: (none) => has_procedure mga2-64-ok
To tidy up.. $ cd .. $ rm -rf git-test
Testing complete mga2 32 Validating Advisory & srpm in comment 0 Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok mga2-32-ok
update pushed : https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0091
Status: NEW => RESOLVEDCC: (none) => dmorganecResolution: (none) => FIXED