Summary: | <dev-vcs/git-2.16.0: Input validation error | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | polynomial-c, robbat2 |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B2 [noglsa cve] | ||
Package list: |
=dev-vcs/git-2.16.1
|
Runtime testing required: | --- |
Description
GLSAMaker/CVETool Bot
2018-02-12 19:14:31 UTC
Arches please stabilize =dev-vcs/git-2.16.1 x86 stable amd64 stable commit 3e39d2d249c1dd97f63c9291160384a3a2844036 Author: Rolf Eike Beer <eike@sf-mail.de> Date: Fri Feb 16 09:23:06 2018 +0100 dev-vcs/git: stable 2.16.1 for sparc, bug #647446 ia64 stable hppa stable arm64 stable Stable on alpha. arm stable I get test failures in t5000 which I remember seeing before. Stabilized anyway... ppc/ppc64 done @Maintainers please remove vulnerable versions. GLSA Request filed. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=10695ef636e1cfd7cc146a76ed8fab7f9ef38422 commit 10695ef636e1cfd7cc146a76ed8fab7f9ef38422 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2018-03-12 18:54:58 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2018-03-12 18:54:58 +0000 dev-vcs/git: Security cleanup. Bug: https://bugs.gentoo.org/647446 Package-Manager: Portage-2.3.24, Repoman-2.3.6 dev-vcs/git/Manifest | 12 - dev-vcs/git/git-2.13.6.ebuild | 678 ---------------------------------------- dev-vcs/git/git-2.14.3.ebuild | 696 ------------------------------------------ dev-vcs/git/git-2.15.1.ebuild | 696 ------------------------------------------ dev-vcs/git/git-2.16.0.ebuild | 696 ------------------------------------------ 5 files changed, 2778 deletions(-)} arm stable This falls into hardening and not interacting with malicious or untrusted Git servers. Second, MITM would compromise much more than just this and it is highly advisable to use a secured protocol when cloning,pushing, etc. While the technical fix will address one of these it does not address all. |