git is vulnerable to a command injection via SSH urls, see upstream: https://marc.info/?l=git&m=150238802328673&w=2 And from the bug finder: http://blog.recurity-labs.com/2017-08-10/scm-vulns 2.14.1 fixes the issue, in case you don't want to stabilize that yet several fixed versions for older release branches have also been published by upstream. A similar vuln affects subversion and mercurial.
Arches, please test & stablize dev-vcs/git-2.13.5 (already in the tree prior to this bug).
Stable on amd64.
(In reply to Tobias Klausmann from comment #2) > Stable on amd64. Bullshit.
Stable on alpha.
ia64 stable
ppc/ppc64 stable
amd64 stable
x86 stable
arm stable
sparc stable (thanks to Dakon)
hppa stable (thanks to Dakon)
Last arch is done here.
@maintainer(s), please clean-up tree, thank you! Daj Uan (jmbailey/mbailey_j) Gentoo Security Padawan
New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s).
This issue was resolved and addressed in GLSA 201709-10 at https://security.gentoo.org/glsa/201709-10 by GLSA coordinator Aaron Bauman (b-man).
Reopened for cleanup. @maintainers, please clean the vulnerable versions.
Maintainer(s), please drop the vulnerable version(s). dev-vcs/git-(2.13.0,2.13.3,2.13.4) dev-vcs/git-(2.14.0,2.14.0-r1)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5fc034c016555ddaa8c84902f2e2c0b9c335185c commit 5fc034c016555ddaa8c84902f2e2c0b9c335185c Author: Robin H. Johnson <robbat2@gentoo.org> AuthorDate: 2017-10-02 03:16:33 +0000 Commit: Robin H. Johnson <robbat2@gentoo.org> CommitDate: 2017-10-02 03:16:36 +0000 dev-vcs/git: cleanup old ebuilds. Bug: https://bugs.gentoo.org/show_bug.cgi?id=627488#c17 Package-Manager: Portage-2.3.8, Repoman-2.3.3 dev-vcs/git/Manifest | 12 - dev-vcs/git/git-2.13.0.ebuild | 677 -------------------------------------- dev-vcs/git/git-2.13.3.ebuild | 680 -------------------------------------- dev-vcs/git/git-2.13.4.ebuild | 680 -------------------------------------- dev-vcs/git/git-2.14.0-r1.ebuild | 691 --------------------------------------- dev-vcs/git/git-2.14.0.ebuild | 680 -------------------------------------- 6 files changed, 3420 deletions(-)}