Bugzilla – Bug 910756
VUL-0: CVE-2014-9390: git: arbitrary command execution vulnerability on case-insensitive file systems
Last modified: 2015-06-22 12:06:48 UTC
From http://article.gmane.org/gmane.linux.kernel/1853266 > This is a security-fix for CVE-2014-9390, which affects users on > Windows and Mac OS X but not typical UNIX users. A set of new > releases for older maintenance tracks (v1.8.5.6, v1.9.5, v2.0.5, and > v2.1.4) are published at the same time and they contain the same fix. > Various implementations and ports, including Git for Windows, Git OS > X installer, JGit & EGit, libgit2 (and Visual Studio which uses it) > have been updated at the same time. > > Even though the issue may not affect Linux users, if you are a > hosting service whose users may fetch from your service to Windows > or Mac OS X machines, you are strongly encouraged to update to > protect such users who use existing versions of Git. Not directly affected, but updates to 1.8.5.6, 1.9.5, 2.0.5, 2.1.4, 2.2.1 should be advised.
Is a update vor git 1.7.12.4 required? That version is provided with SLES 11 SP3.
bugbot adjusting priority
(In reply to Gregor Dschung from comment #2) > Is a update vor git 1.7.12.4 required? That version is provided with SLES 11 > SP3. Yes, we need it. Also, changing from 1.8.4 to 1.8.5 isn't good, too, as there is a significant behavior change between them regarding git-push.
OK, I submitted the fixes to openSUSE 13.2, openSUSE 13.1, SLE11-SP1 and SLE12.
This is an autogenerated message for OBS integration: This bug (910756) was mentioned in https://build.opensuse.org/request/show/280185 13.1 / git https://build.opensuse.org/request/show/280189 13.2 / git
we have to start SLE SWAMP.
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-01-30. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/60251
Reassigned to security team for releases.
SUSE-SU-2015:0100-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 910756 CVE References: CVE-2014-9390 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): git-1.8.5.6-5.1 SUSE Linux Enterprise Server 12 (src): git-1.8.5.6-5.1
SUSE-SU-2015:0154-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 910756 CVE References: CVE-2014-9390 Sources used: SUSE Studio Onsite 1.3 (src): git-1.7.12.4-0.9.1
SUSE-SU-2015:0154-2: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 910756 CVE References: CVE-2014-9390 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): git-1.7.12.4-0.9.1
openSUSE-SU-2015:0159-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 910756 CVE References: CVE-2014-9390 Sources used: openSUSE 13.2 (src): git-2.1.4-9.7 openSUSE 13.1 (src): git-1.8.4.5-3.8.4
released
Jan, cgit bundles git sources. The advisory notes that the fix would protect client users. Even though openSUSE is not affected directly, would you do an update? openSUSE:13.1 cgit 0.9.1, git 1.7.6.4 openSUSE:13.2 cgit 0.9.1, git 1.7.6.4
This is an autogenerated message for OBS integration: This bug (910756) was mentioned in https://build.opensuse.org/request/show/311599 13.2 / cgit
This is an autogenerated message for OBS integration: This bug (910756) was mentioned in https://build.opensuse.org/request/show/311627 13.1 / cgit
Starting cgit update, thanks.
cgit released, closing
openSUSE-SU-2015:1096-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 910756 CVE References: CVE-2014-9390 Sources used: openSUSE 13.2 (src): cgit-0.11.2-13.3.1 openSUSE 13.1 (src): cgit-0.11.2-11.3.1