http://seclists.org/oss-sec/2016/q1/645 I am not sure, if https://bugs.gentoo.org/show_bug.cgi?id=577482 fixes both.
Thank you for filing this bug! Old, but Gentoo stable is still affected. This vulnerability is public, no need to restrict access. Fixed by upstream in v2.7.4 which is already in tree. @ Maintainer(s): We need to stabilize at least =dev-vcs/git-2.7.4. But maybe we can stabilize a newer version, i.e. the whole path_name thing was removed in 2.8.x...
Arches please test and mark stable =dev-vcs/git-2.10.2 with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris
Stable on alpha.
commit 8fd404063dfb0aa99dd28019ee8979aec9f03ad3 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Mon Dec 12 11:57:41 2016 dev-vcs/git: Stable for amd64 and x86 (bug #601984). Package-Manager: Portage-2.3.3, Repoman-2.3.1 RepoMan-Options: --include-arches="amd64,x86"
arm stable
sparc stable
ia64 stable
ppc stable
ppc64 stable
hppa ping
Stable for HPPA.
New GLSA request filed. @ Maintainer(s): Please cleanup and drop at least <dev-vcs/git-2.7.4!
Freeing CVE alias. CVE-2016-2315 was already addressed in bug 577482 and GLSA 201605-01 but probably nobody noticed (well, Jonas set "See also") due to the encoding of the alias (UTF-8 dash). I'll finally close this bug as INVALID: While git-2.7.4 was first upstream release containing fixes for both vulnerabilities, CVE-2016-2315 was already addressed in bug 577482 like said above and the remaining vulnerability CVE-2016-2324 never affected Gentoo: CVE-2016-2324 is about a flaw in path_name function which was already removed by the bug fix for CVE-2016-2315 (bug 577482), see https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9af1e5cffa8122cf3b7c66a2a8291fafcd60c121.
