[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-hackers-public] Git CVE-2017-8386 (auth bypass via git-shell)
From: |
Leo Famulari |
Subject: |
[Savannah-hackers-public] Git CVE-2017-8386 (auth bypass via git-shell) |
Date: |
Wed, 7 Jun 2017 16:39:59 -0400 |
User-agent: |
Mutt/1.8.3 (2017-05-23) |
Dear Savannah,
CVE-2017-8386 [0] was recently fixed for Git. This bug allows remote users
to bypass authentication restrictions in git-shell and possibly have
other impacts.
This bug was fixed in upstream Git maintenance releases Git v2.4.12,
v2.5.6, v2.6.7, v2.7.5, v2.8.5, v2.9.4, v2.10.3, v2.11.2, and v2.12.3.
Apparently, 2.12.3 included some more unnamed security fixes:
http://marc.info/?l=linux-kernel&m=149437481723960&w=2
Does Savannah use git-shell? Has anybody looked into this yet?
[0]
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8386
Fix commit:
https://git.kernel.org/pub/scm/git/git.git/commit/?id=3ec804490a265f4c418a321428c12f3f18b7eff5
signature.asc
Description: PGP signature
- [Savannah-hackers-public] Git CVE-2017-8386 (auth bypass via git-shell),
Leo Famulari <=