Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2014.0144 Critical vulnerability in Git client could allow File overwrites and arbitrary code execution 23 December 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Git client Operating System: Windows OS X Impact/Access: Overwrite Arbitrary Files -- Remote with User Interaction Execute Arbitrary Code/Commands -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2014-9390 Member content until: Thursday, January 22 2015 OVERVIEW Github has identified a client-side vulnerability in Git and Git-compatible Client versions prior to 1.8.5.6, 1.9.5, 2.0.5, 2.1.4 and 2.2.1.[1] IMPACT Github has provided the following details regarding the vulnerability: CVE-2014-9390: "The vulnerability concerns Git and Git-compatible clients that access Git repositories in a case-insensitive or case-normalizing filesystem. An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine. Git clients running on OS X (HFS+) or any version of Microsoft Windows (NTFS, FAT) are exploitable through this vulnerability. Linux clients are not affected if they run in a case-sensitive filesystem."[1, 3] MITIGATION Users on Windows and Mac OS X systems are advised to update to maintenance release 2.2.1 as soon as possible. Older maintenance tracks have a set of new releases which address the vulnerability.[2, 3] REFERENCES [1] Vulnerability announced: update your Git clients https://github.com/blog/1938-git-client-vulnerability-announced [2] Git 1.8.5.6, 1.9.5, 2.0.5, 2.1.4 and 2.2.1 and thanking friends in Mercurial land http://git-blame.blogspot.com.es/2014/12/git-1856-195-205-214-and-221-and.html [3] [ANNOUNCE] Git v2.2.1 (and updates to older maintenance tracks) http://article.gmane.org/gmane.linux.kernel/1853266 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVJjIXBLndAQH1ShLAQLZog//R8qCit/RhT7X8khkO65uPxdG4AuN4iTs i9Hz/VIdmLQB71EIK2W+J5MxghNrvnGqwtm2W0JmiL+fdW4JefPDkB0yV+BtzGjy G6u+Nd3sEMH5rVVpMEB87qazEXJN1eo8W9Vi8o+VI6QWdSrejYtaZB+PcR/K2v7n R3CPs6xhAc/jnDLXRBwjuRBxKRMUwCWsC3VZONQdnvs95Uj1lGSXXK1yQBq137Sk Yjo8Vaa2M5oYbf40uX7n51B4CH96xU9f4MHtJFV3rN9FIn7LzbB1etkBw762xHQy SmfVoNL9/Hlvoy2W1p4v3CZZAfNw2leboc6ddfNMQ9++6QeibmWUiOmUSIsDIPS8 1+nolRnGOv143ip9KBMHuxRVHaN9JC4RH03hbXKSO5r3GH6tpoYqdQlmup1Z0+6V gRrFH9aLLySSE3P5MoNq8pfvoR7fJybg9BKKKDMa8wS2nMvOkreQqX94QktpZkr7 jfK+EMgZKg633mUVNuiR5pXZu/1bpCr2FpP5lR+IZn8Yggl0A/xzQy6kgNZQmjHg hP3A8ot6ECNZF2GSDQZf78VQYRNKp5l/bVkOPHmCR1tRrFCFKk8Sj8ZKIyoJcjMw U15glkGm04tzyKXd5EjGQPov++jcw8LXV0UHSsCYkZpfutu8S462fKqmXOpplqDp 69kLyoJcHCE= =W2an -----END PGP SIGNATURE-----