Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 702296 (CVE-2019-1348, CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, CVE-2019-1353, CVE-2019-1354, CVE-2019-1387, CVE-2019-19604)

Summary: <dev-vcs/git-{2.21.1,2.23.1-r1,2.24.1}: multiple vulnerabilities
Product: Gentoo Security Reporter: Thomas Deutschmann <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: polynomial-c, robbat2
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa+ cve]
Package list:
dev-vcs/git-2.23.1-r1 dev-vcs/git-2.24.1
Runtime testing required: Yes

Description Thomas Deutschmann gentoo-dev Security 2019-12-08 18:52:25 UTC
Incoming details.
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2019-12-08 21:42:59 UTC
security:
ACK email CSR-20191210-1. Will try to be available to bump at the embargo time end. Please contact me if it leaks early.
Comment 2 Lars Wendler (Polynomial-C) gentoo-dev 2019-12-08 23:40:52 UTC
Also email ACK. If Robin cannot be present in time I will be his backup.
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2019-12-10 18:59:35 UTC
security:
This appears to have dropped upstream BEFORE the embargo deadline.
Tarballs appeared on the kernel.org mirrors an hour before the deadline, and the commits were visible in repos as of 2019/12/10 07:07 UTC.
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2019-12-10 19:39:56 UTC
commit e2c18c18104d5ef0c65195f6f51af9f8ca861dda contains the bumps.

arches, please test & stabilize:
dev-vcs/git-2.21.1
dev-vcs/git-2.23.1-r1
dev-vcs/git-2.24.1
Comment 5 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-12-11 12:52:35 UTC
amd64 stable
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-12-11 14:32:19 UTC
arm64 stable
Comment 7 Rolf Eike Beer 2019-12-11 20:03:48 UTC
sparc stable
Comment 8 Sergei Trofimovich gentoo-dev 2019-12-12 21:56:05 UTC
ia64 stable
Comment 9 Thomas Deutschmann gentoo-dev Security 2019-12-13 00:08:55 UTC
x86 stable
Comment 10 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-12-24 14:04:53 UTC
arm stable
Comment 11 Sergei Trofimovich gentoo-dev 2019-12-25 21:00:27 UTC
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2020-01-03 13:57:51 UTC
s390 stable
Comment 13 Agostino Sarubbo gentoo-dev 2020-02-12 09:35:48 UTC
ppc64 stable
Comment 14 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2020-03-15 12:53:57 UTC
sh stable
Comment 15 Thomas Deutschmann gentoo-dev Security 2020-03-15 16:52:01 UTC
New GLSA request filed.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2020-03-15 17:00:45 UTC
This issue was resolved and addressed in
 GLSA 202003-30 at https://security.gentoo.org/glsa/202003-30
by GLSA coordinator Thomas Deutschmann (whissi).