Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2009.0071 -- [Win][UNIX/Linux][Debian] New Git packages fix remote code execution 20 January 2009 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: git-core Publisher: Debian Operating System: Windows UNIX variants (UNIX, Linux, OSX) Debian GNU/Linux 4.0 Impact: Execute Arbitrary Code/Commands Access: Remote/Unauthenticated CVE Names: CVE-2008-5517 CVE-2008-5516 Original Bulletin: http://www.debian.org/security/2009/dsa-1708 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running git-core check for an updated version of the software for their operating system. Revision History: January 20 2009: Updated Operating Systems January 20 2009: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------ Debian Security Advisory DSA-1708-1 security@debian.org http://www.debian.org/security/ Florian Weimer January 19, 2009 http://www.debian.org/security/faq - - ------------------------------------------------------------------------ Package : git-core Vulnerability : shell command injection Problem type : remote Debian-specific: no CVE Id(s) : CVE-2008-5516 CVE-2008-5517 Debian Bug : 512330 It was discovered that gitweb, the web interface for the Git version control system, contained several vulnerabilities: Remote attackers could use crafted requests to execute shell commands on the web server, using the snapshot generation and pickaxe search functionality (CVE-2008-5516). Local users with write access to the configuration of a Git repository served by gitweb could cause gitweb to execute arbitrary shell commands with the permission of the web server (CVE-2008-5517). For the stable distribution (etch), these problems have been fixed in version 1.4.4.4-4+etch1. For the unstable distribution (sid) and testing distribution (lenny), the remote shell command injection issuei (CVE-2008-5516) has been fixed in version 1.5.6-1. The other issue will be fixed soon. We recommend that you upgrade your Git packages. Upgrade instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4.orig.tar.gz Size/MD5 checksum: 1054130 99bc7ea441226f792b6f796a838e7ef0 http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1.diff.gz Size/MD5 checksum: 88583 47033ef17360b441eb508094a3ab6b2b http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1.dsc Size/MD5 checksum: 1097 b907083d358ff2dc892790569fe3a164 Architecture independent packages: http://security.debian.org/pool/updates/main/g/git-core/gitweb_1.4.4.4-4+etch1_all.deb Size/MD5 checksum: 89094 1dc1b790f989600d62ba2d347d890a43 http://security.debian.org/pool/updates/main/g/git-core/git-daemon-run_1.4.4.4-4+etch1_all.deb Size/MD5 checksum: 55504 7d1a4bf7bf17f179f94f513fc56f1ffc http://security.debian.org/pool/updates/main/g/git-core/git-svn_1.4.4.4-4+etch1_all.deb Size/MD5 checksum: 100426 149f0e2dda76e4d7613200d530db9e67 http://security.debian.org/pool/updates/main/g/git-core/gitk_1.4.4.4-4+etch1_all.deb Size/MD5 checksum: 99598 800ea1d003baf1e348fda3b661fc16ed http://security.debian.org/pool/updates/main/g/git-core/git-doc_1.4.4.4-4+etch1_all.deb Size/MD5 checksum: 453076 4d102f5051116516cf4cc45b10637871 http://security.debian.org/pool/updates/main/g/git-core/git-email_1.4.4.4-4+etch1_all.deb Size/MD5 checksum: 62792 201df12660ca0b6180e5fa3c5e0a3543 http://security.debian.org/pool/updates/main/g/git-core/git-arch_1.4.4.4-4+etch1_all.deb Size/MD5 checksum: 68508 1489a2af3d016ff8b1a4c612365870b8 http://security.debian.org/pool/updates/main/g/git-core/git-cvs_1.4.4.4-4+etch1_all.deb Size/MD5 checksum: 94516 afef0aca9b13d1d50af28cbb0d9cc1aa alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1_alpha.deb Size/MD5 checksum: 3101926 6422c5ad17a7248820c3c27195051b0c amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1_amd64.deb Size/MD5 checksum: 2642144 b81b341dce9b234eb193d40decd1283b arm architecture (ARM) http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1_arm.deb Size/MD5 checksum: 2322772 d5c371c8f6f3923edaf880df795870e4 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1_hppa.deb Size/MD5 checksum: 2693958 c519a9e4cfeda0f11fe92e23756c6759 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1_i386.deb Size/MD5 checksum: 2340718 94abafaa8e010240a6a2da50ca717217 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1_ia64.deb Size/MD5 checksum: 3815660 9b0970058eecaf9abd12e5cc472d0434 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1_mips.deb Size/MD5 checksum: 2784146 b345d0ffd96b307025924f99fed33e9e mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1_mipsel.deb Size/MD5 checksum: 2801244 7067901dea12981db4f09e186888e5b3 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1_powerpc.deb Size/MD5 checksum: 2638996 23afd3d0fc61699d0850793c2dbd0047 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1_s390.deb Size/MD5 checksum: 2628016 8f29e9b8b465bf570e8ee7bf78e3437d sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1_sparc.deb Size/MD5 checksum: 2301444 93f43ba8edfb78438a6d7d66b96e4816 These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJJdOgyAAoJEL97/wQC1SS+aaAIAKft8eWfOYqWyNxCeWRoD+v9 Y83tWBlrIoVkEJQqwm/l5L2YVlzZ0uEE7w/OxOVg31SmibwBsnx1OF2IefSmryHe kUM2TIHfA4/V0kjgs8E1IaQT/3TSRWmSfgQPlUACti4ijsWU/o4pDreyFh+fa0sN pldwxqxojCo8QVlosJDII8wyZ75DjMlam2UujQAbZrdd7j16SHh/LfZ0vbxTO+PX mqAOMicVz2b/1IFYjL4YK0NThxvyivtTVT8Nc7nb7As8kUZAF+Uu3yvXFzavObBQ 6Qs6rCThVf+HXE6pDw3MmDU869pfP4H8Irxh6Jy6/2gaJcjNXVqCuCA+v44CJqg= =6LbJ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBSXUb6yh9+71yA2DNAQIkFQP/WaN/+uxvt92dV6lJkz6D8p3Kwfa5kAzd XgQKlZIuACyKXAWKE/EIgmW/bkoo7HCutzHQ1LgMv1a3ui+Hpb2MPvQZJyEtwAyX QHJ8oi1xcMRbwsxkik6rQa8P09snTRoTObs4b4mbcIXIEo2WuY+p4LkXiMRajXI+ pcBd6/HW64g= =l4KE -----END PGP SIGNATURE-----