From ${URL} : he following issue was fixed in Git version 2.6.1: * Some protocols (like git-remote-ext) can execute arbitrary code found in the URL. The URLs that submodules use may come from arbitrary sources (e.g., .gitmodules files in a remote repository), and can hurt those who blindly enable recursive fetch. Restrict the allowed protocols to well known and safe ones. Upstream patches: https://kernel.googlesource.com/pub/scm/git/git/+/a5adaced2e13c135d5d9cc65be9eb95aa3bacedf%5E%21/ https://kernel.googlesource.com/pub/scm/git/git/+/33cfccbbf35a56e190b79bdec5c85457c952a021%5E%21/ https://kernel.googlesource.com/pub/scm/git/git/+/5088d3b38775f8ac12d7f77636775b16059b67ef%5E%21/ https://kernel.googlesource.com/pub/scm/git/git/+/f4113cac0c88b4f36ee6f3abf3218034440a68e3%5E%21/ https://kernel.googlesource.com/pub/scm/git/git/+/b258116462399b318c86165c61a5c7123043cfd4%5E%21/ CVE request: http://seclists.org/oss-sec/2015/q4/37 @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
AFAIK the same fixes went into =dev-vcs/git-2.3.10, =dev-vcs/git-2.4.10 and =dev-vcs/git-2.5.4 So I'd prefer to stabilize =dev-vcs/git-2.3.10 and =dev-vcs/git-2.4.10: Arches please test and mark stable the above mentioned two versions. Target keywords are: alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris
amd64 stable
Stable for PPC64.
x86 stable
Stable for HPPA.
Stable on alpha.
arm stable
ppc stable
sparc stable
ia64 stable
commit 6064b8095a426e5e985ad64632ac58674c9fcea9 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Thu Nov 19 15:23:15 2015 dev-vcs/git: Removed vulnerable versions (bug #562884). Package-Manager: portage-2.2.25 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Arches and Maintainer(s), Thank you for your work. New GLSA Request filed.
This issue was resolved and addressed in GLSA 201605-01 at https://security.gentoo.org/glsa/201605-01 by GLSA coordinator Kristian Fiskerstrand (K_F).