[gentoo-announce] [ GLSA 201706-04 ] Git: Security bypass - gentoo-announce

From:	Thomas Deutschmann <whissi@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 201706-04 ] Git: Security bypass
Date:	Tue, 06 Jun 2017 08:48:27
Message-Id:	`9f38c316-43b3-512b-f46f-4ae4063e7530@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201706-04

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: Git: Security bypass

9

     Date: June 06, 2017

10

     Bugs: #618126

11

       ID: 201706-04

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

A vulnerability in Git might allow remote attackers to bypass security

19

restrictions.

20

21

Background

22

==========

23

24

Git is a free and open source distributed version control system

25

designed to handle everything from small to very large projects with

26

speed and efficiency.

27

28

Affected packages

29

=================

30

31

    -------------------------------------------------------------------

32

     Package              /     Vulnerable     /            Unaffected

33

    -------------------------------------------------------------------

34

  1  dev-vcs/git                  < 2.13.0                  >= 2.13.0

35

36

Description

37

===========

38

39

Timo Schmid discovered that the Git restricted shell incorrectly

40

filtered allowed commands.

41

42

Impact

43

======

44

45

A remote attacker could possibly bypass security restrictions and

46

access sensitive information.

47

48

Workaround

49

==========

50

51

There is no known workaround at this time.

52

53

Resolution

54

==========

55

56

All Git users should upgrade to the latest version:

57

58

  # emerge --sync

59

  # emerge --ask --oneshot --verbose ">=dev-vcs/git-2.13.0"

60

61

References

62

==========

63

64

[ 1 ] CVE-2017-8386

65

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8386

66

67

Availability

68

============

69

70

This GLSA and any updates to it are available for viewing at

71

the Gentoo Security Website:

72

73

 https://security.gentoo.org/glsa/201706-04

74

75

Concerns?

76

=========

77

78

Security is a primary focus of Gentoo Linux and ensuring the

79

confidentiality and security of our users' machines is of utmost

80

importance to us. Any security concerns should be addressed to

81

security@g.o or alternatively, you may file a bug at

82

https://bugs.gentoo.org.

83

84

License

85

=======

86

87

Copyright 2017 Gentoo Foundation, Inc; referenced text

88

belongs to its owner(s).

89

90

The contents of this document are licensed under the

91

Creative Commons - Attribution / Share Alike license.

92

93

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201706-04
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: Git: Security bypass
9	Date: June 06, 2017
10	Bugs: #618126
11	ID: 201706-04
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	A vulnerability in Git might allow remote attackers to bypass security
19	restrictions.
20
21	Background
22	==========
23
24	Git is a free and open source distributed version control system
25	designed to handle everything from small to very large projects with
26	speed and efficiency.
27
28	Affected packages
29	=================
30
31	-------------------------------------------------------------------
32	Package / Vulnerable / Unaffected
33	-------------------------------------------------------------------
34	1 dev-vcs/git < 2.13.0 >= 2.13.0
35
36	Description
37	===========
38
39	Timo Schmid discovered that the Git restricted shell incorrectly
40	filtered allowed commands.
41
42	Impact
43	======
44
45	A remote attacker could possibly bypass security restrictions and
46	access sensitive information.
47
48	Workaround
49	==========
50
51	There is no known workaround at this time.
52
53	Resolution
54	==========
55
56	All Git users should upgrade to the latest version:
57
58	# emerge --sync
59	# emerge --ask --oneshot --verbose ">=dev-vcs/git-2.13.0"
60
61	References
62	==========
63
64	[ 1 ] CVE-2017-8386
65	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8386
66
67	Availability
68	============
69
70	This GLSA and any updates to it are available for viewing at
71	the Gentoo Security Website:
72
73	https://security.gentoo.org/glsa/201706-04
74
75	Concerns?
76	=========
77
78	Security is a primary focus of Gentoo Linux and ensuring the
79	confidentiality and security of our users' machines is of utmost
80	importance to us. Any security concerns should be addressed to
81	security@g.o or alternatively, you may file a bug at
82	https://bugs.gentoo.org.
83
84	License
85	=======
86
87	Copyright 2017 Gentoo Foundation, Inc; referenced text
88	belongs to its owner(s).
89
90	The contents of this document are licensed under the
91	Creative Commons - Attribution / Share Alike license.
92
93	http://creativecommons.org/licenses/by-sa/2.5