[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Savannah-hackers-public] Git CVE-2017-8386 (auth bypass via git-she
Re: [Savannah-hackers-public] Git CVE-2017-8386 (auth bypass via git-shell)
Wed, 7 Jun 2017 18:24:35 -0400
On Wed, Jun 07, 2017 at 09:54:54PM +0000, Assaf Gordon wrote:
> On Wed, Jun 07, 2017 at 04:39:59PM -0400, Leo Famulari wrote:
> > CVE-2017-8386  was recently fixed for Git. This bug allows remote users
> > to bypass authentication restrictions in git-shell [...]
> > Does Savannah use git-shell? Has anybody looked into this yet?
> Thank you for alerting us to this issue.
> Savannah does use 'git-shell',
> but we're also using a standard GNU/Linux distribution,
> and the fixed version was already in place as part
> of the automatic daily security updates
> (verified manually by Bob Proulx, just now).
Awesome, thanks for double-checking.
> Please do continue to send us such alerts if they seem relevant -
> another look can never hurt.
> If you (or others) discover a new vulnerability with savannah,
> we encourage everyone to report it to us private at:
> savannah-hackers-private (at) gnu (dot) org .
> We will work with you quickly to resolve it,
> and then of course make it public.
Okay, I'll do that in the future.
Description: PGP signature