Package "git"
Name: |
git
|
Description: |
fast, scalable, distributed revision control system
|
Latest version: |
1:2.7.4-0ubuntu1.10 |
Release: |
xenial (16.04) |
Level: |
security |
Repository: |
main |
Homepage: |
https://git-scm.com/ |
Links
Download "git"
Other versions of "git" in Xenial
Packages in group
Deleted packages are displayed in grey.
Changelog
git (1:2.7.4-0ubuntu1.5) xenial-security; urgency=medium
* SECURITY UPDATE: arbitrary code execution via submodule URLs and
paths in .gitsubmodules.
- 0001-submodule-helper-use-to-signal-end-of-clone-options.patch,
0002-submodule-config-ban-submodule-urls-that-start-with-.patch,
0003-submodule-config-ban-submodule-paths-that-start-with.patch:
disallow urls and files that begin with '--'.
- 0004-fsck-detect-submodule-urls-starting-with-dash.patch,
0005-fsck-detect-submodule-paths-starting-with-dash.patch:
reject gitmodules that contain submdule urls and files that begin
with '--'.
- CVE-2018-17456
* SECURITY UPDATE: incomplete fix for CVE-2017-14867
- 0006-cvsimport-apply-shell-quoting-regex-globally.patch: escape
all instances of backticks
-- Steve Beattie <email address hidden> Fri, 05 Oct 2018 16:59:03 -0700
|
Source diff to previous version |
CVE-2018-17456 |
Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote cod |
CVE-2017-14867 |
Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support sub |
|
git (1:2.7.4-0ubuntu1.4) xenial-security; urgency=medium
* SECURITY UPDATE: arbitrary code execution via
submodule names in .gitsubmodules.
- 0014-fsck-simplify-.git-check.patch
- 0015-fsck-actually-fsck-blob-data.patch
- 0016-fsck-detect-gitmodules-files.patch
- 0017-fsck-check-.gitmodules-content.patch
- 0018-fsck-call-fsck_finish-after-fscking-objects.patch
- 0019-unpack-objects-call-fsck_finish-after-fscking-object.patch
- 0020-index-pack-check-.gitmodules-files-with-strict.patch
- CVE-2018-11235 (LP: #1774061)
* SECURITY UPDATE: out-of-bounds memory access when sanity-checking
pathnames on NTFS
- 0002-is_ntfs_dotgit-use-a-size_t-for-traversing-string.patch
- CVE-2018-11233
* Do not allow .gitmodules to be a symlink:
- 0003-is_hfs_dotgit-match-other-.git-files.patch
- 0004-is_ntfs_dotgit-match-other-.git-files.patch
- 0005-is_-hfs-ntfs-_dotgitmodules-add-tests.patch
- 0006-skip_prefix-add-case-insensitive-variant.patch
- 0007-verify_path-drop-clever-fallthrough.patch
- 0008-verify_dotfile-mention-case-insensitivity-in-comment.patch
- 0009-update-index-stat-updated-files-earlier.patch
- 0010-verify_path-disallow-symlinks-in-.gitmodules.patch
- 0011-sha1_file-add-read_loose_object-function.patch
- 0012-fsck-parse-loose-object-paths-directly.patch
- 0013-index-pack-make-fsck-error-message-more-specific.patch
- 0021-fsck-complain-when-.gitmodules-is-a-symlink.patch
* debian/rules: ensure added tests are executable.
-- Steve Beattie <email address hidden> Fri, 01 Jun 2018 23:44:15 -0700
|
Source diff to previous version |
1774061 |
git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules |
CVE-2018-11235 |
In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. Wi |
CVE-2018-11233 |
In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, code to sanity-check pathnames on N |
|
git (1:2.7.4-0ubuntu1.3) xenial-security; urgency=high
* SECURITY UPDATE: Git cvsserver OS Command Injection (LP: #1719740)
- shell-drop-git-cvsserver-support-by-default.diff
- cvsserver-use-safe_pipe_capture.diff
- cvsimport-shell-quote-variable-used-in-backticks.diff
- archimport-use-safe_pipe_capture-for-user-input.diff
- CVE-2017-14867
-- Simon Quigley <email address hidden> Tue, 03 Oct 2017 13:14:37 -0500
|
Source diff to previous version |
|
git (1:2.7.4-0ubuntu1.2) xenial-security; urgency=medium
* SECURITY UPDATE: Arbitrary code execution on clients through
malicious ssh URLs.
- debian/patches/CVE-2017-1000117.patch: filter out hostnames that
would interpreted as cli arguments to ssh
- debian/diff/0002-transport-expose-git_tcp_connect-and-friends-in-new-t.diff:
update to adjust for changes from CVE-2017-1000117.patch.
- CVE-2017-1000117
-- Steve Beattie <email address hidden> Thu, 10 Aug 2017 14:15:28 -0700
|
Source diff to previous version |
|
git (1:2.7.4-0ubuntu1.1) xenial-security; urgency=medium
* SECURITY UPDATE: git shell restriction bypass
- debian/patches/CVE-2017-8386.patch: disallow repo names beginning
with dash in shell.c.
- CVE-2017-8386
-- Marc Deslauriers <email address hidden> Fri, 12 May 2017 09:29:55 -0400
|
About
-
Send Feedback to @ubuntu_updates