Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 702296 (CVE-2019-1348, CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, CVE-2019-1353, CVE-2019-1354, CVE-2019-1387, CVE-2019-19604) - <dev-vcs/git-{2.21.1,2.23.1-r1,2.24.1}: multiple vulnerabilities
Summary: <dev-vcs/git-{2.21.1,2.23.1-r1,2.24.1}: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2019-1348, CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, CVE-2019-1353, CVE-2019-1354, CVE-2019-1387, CVE-2019-19604
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-12-08 18:52 UTC by Thomas Deutschmann (RETIRED)
Modified: 2020-03-15 17:00 UTC (History)
2 users (show)

See Also:
Package list:
dev-vcs/git-2.23.1-r1 dev-vcs/git-2.24.1
Runtime testing required: Yes

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2019-12-08 18:52:25 UTC 
Incoming details.
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2019-12-08 21:42:59 UTC 
security:
ACK email CSR-20191210-1. Will try to be available to bump at the embargo time end. Please contact me if it leaks early.
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2019-12-08 23:40:52 UTC 
Also email ACK. If Robin cannot be present in time I will be his backup.
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2019-12-10 18:59:35 UTC 
security:
This appears to have dropped upstream BEFORE the embargo deadline.
Tarballs appeared on the kernel.org mirrors an hour before the deadline, and the commits were visible in repos as of 2019/12/10 07:07 UTC.
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2019-12-10 19:39:56 UTC 
commit e2c18c18104d5ef0c65195f6f51af9f8ca861dda contains the bumps.

arches, please test & stabilize:
dev-vcs/git-2.21.1
dev-vcs/git-2.23.1-r1
dev-vcs/git-2.24.1
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-12-11 12:52:35 UTC 
amd64 stable
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2019-12-11 14:32:19 UTC 
arm64 stable
Comment 7 Rolf Eike Beer archtester 2019-12-11 20:03:48 UTC 
sparc stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2019-12-12 21:56:05 UTC 
ia64 stable
Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev 2019-12-13 00:08:55 UTC 
x86 stable
Comment 10 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-12-24 14:04:53 UTC 
arm stable
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2019-12-25 21:00:27 UTC 
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2020-01-03 13:57:51 UTC 
s390 stable
Comment 13 Agostino Sarubbo gentoo-dev 2020-02-12 09:35:48 UTC 
ppc64 stable
Comment 14 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-03-15 12:53:57 UTC 
sh stable
Comment 15 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 16:52:01 UTC 
New GLSA request filed.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2020-03-15 17:00:45 UTC 
This issue was resolved and addressed in
 GLSA 202003-30 at https://security.gentoo.org/glsa/202003-30
by GLSA coordinator Thomas Deutschmann (whissi).