From ${URL} : Description A security issue has been reported in GIT, which can be exploited by malicious people to conduct spoofing attacks. The security issue is caused due to the "git-imap-send" not properly verifying IMAP server hostname against the domain name in SSL certificates. This can be exploited to e.g. spoof the server via a MitM (Man-in-the-Middle) attack and e.g. disclose potentially sensitive information. The security issue is reported in versions prior to 1.8.1.4. Solution Update to version 1.8.1.4. Original Advisory https://bugzilla.novell.com/show_bug.cgi?id=804730 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701586
Robin, can we stabilize =dev-vcs/git-1.8.1.4 or =dev-vcs/git-1.8.1.5 ?
Arches, please test & stabilize git-1.8.1.5. Target stable keywords: alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86 Testing instructions. Use the src_test. Here's the output I get for for it. FEATURES='test userpriv' USE="blksha1 cgi curl cvs doc gpg iconv pcre perl python subversion threads webdav xinetd -emacs -gnome-keyring -gtk -highlight -nls -ppcsha1 -tk" ebuild git-1.8.1.5.ebuild test ... fixed 0 success 9109 failed 0 broken 74 total 9236 If you get non-zero for failed, I'd like reports.
amd64 stable
x86 stable
ppc done
Stable for HPPA.
sh stable
arm stable
ppc64 stable
alpha stable
ia64 stable
sparc stable
s390 stable
m68k has no stable keyword. Security, please vote
GLSA vote: no.
CVE-2013-0308 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0308): The imap-send command in GIT before 1.8.1.4 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
NO too, closing.
