Summary: | <dev-vcs/git-2.13.0: escape out of git-shell (CVE-2017-8386) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | dwfreed <dwfreed> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | polynomial-c, robbat2 |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://insinuator.net/2017/05/git-shell-bypass-by-abusing-less-cve-2017-8386/ | ||
Whiteboard: | B2 [glsa cve] | ||
Package list: |
=dev-vcs/git-2.13.0
|
Runtime testing required: | --- |
Description
dwfreed
2017-05-10 17:16:15 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself. Arches please test and mark stable =dev-vcs/git-2.13.0 with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris amd64 stable Not only v2.13.0, but also versions v2.4.12, v2.5.6, v2.6.7, v2.7.5, v2.8.5, v2.9.4, v2.10.3, v2.11.2, and v2.12.3 have this (CVE-2017-8386) fix, too: http://lkml.iu.edu/hypermail/linux/kernel/1705.1/01337.html (In reply to Teika kazura from comment #4) > Not only v2.13.0, but also versions v2.4.12, v2.5.6, v2.6.7, v2.7.5, v2.8.5, > v2.9.4, v2.10.3, v2.11.2, and v2.12.3 have this (CVE-2017-8386) fix, too: > http://lkml.iu.edu/hypermail/linux/kernel/1705.1/01337.html We only have version 2.10.X in tree, so while the others are vulnerable they do not apply to Gentoo. sparc stable Stable on alpha. Stable for HPPA. arm stable x86 stable ppc64 stable ppc stable. New GLSA Request filed. please continue stabilization for ia64 ia64 stable. Last arch. @ Maintainer(s): Please cleanup and drop =dev-vcs/git-2.12.3! This issue was resolved and addressed in GLSA 201706-04 at https://security.gentoo.org/glsa/201706-04 by GLSA coordinator Thomas Deutschmann (whissi). Re-opening for cleanup. Cleanup PR: https://github.com/gentoo/gentoo/pull/4868 Now cleaned up, all done. |