Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.0071 -- [Win][UNIX/Linux][Debian]
New Git packages fix remote code execution
20 January 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: git-core
Publisher: Debian
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Debian GNU/Linux 4.0
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
CVE Names: CVE-2008-5517 CVE-2008-5516
Original Bulletin: http://www.debian.org/security/2009/dsa-1708
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running git-core check for an updated version of the software for
their operating system.
Revision History: January 20 2009: Updated Operating Systems
January 20 2009: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1708-1 security@debian.org
http://www.debian.org/security/ Florian Weimer
January 19, 2009 http://www.debian.org/security/faq
- - ------------------------------------------------------------------------
Package : git-core
Vulnerability : shell command injection
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-5516 CVE-2008-5517
Debian Bug : 512330
It was discovered that gitweb, the web interface for the Git version
control system, contained several vulnerabilities:
Remote attackers could use crafted requests to execute shell commands on
the web server, using the snapshot generation and pickaxe search
functionality (CVE-2008-5516).
Local users with write access to the configuration of a Git repository
served by gitweb could cause gitweb to execute arbitrary shell commands
with the permission of the web server (CVE-2008-5517).
For the stable distribution (etch), these problems have been fixed in
version 1.4.4.4-4+etch1.
For the unstable distribution (sid) and testing distribution (lenny),
the remote shell command injection issuei (CVE-2008-5516) has been fixed
in version 1.5.6-1. The other issue will be fixed soon.
We recommend that you upgrade your Git packages.
Upgrade instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- - -------------------------------
Source archives:
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4.orig.tar.gz
Size/MD5 checksum: 1054130 99bc7ea441226f792b6f796a838e7ef0
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1.diff.gz
Size/MD5 checksum: 88583 47033ef17360b441eb508094a3ab6b2b
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1.dsc
Size/MD5 checksum: 1097 b907083d358ff2dc892790569fe3a164
Architecture independent packages:
http://security.debian.org/pool/updates/main/g/git-core/gitweb_1.4.4.4-4+etch1_all.deb
Size/MD5 checksum: 89094 1dc1b790f989600d62ba2d347d890a43
http://security.debian.org/pool/updates/main/g/git-core/git-daemon-run_1.4.4.4-4+etch1_all.deb
Size/MD5 checksum: 55504 7d1a4bf7bf17f179f94f513fc56f1ffc
http://security.debian.org/pool/updates/main/g/git-core/git-svn_1.4.4.4-4+etch1_all.deb
Size/MD5 checksum: 100426 149f0e2dda76e4d7613200d530db9e67
http://security.debian.org/pool/updates/main/g/git-core/gitk_1.4.4.4-4+etch1_all.deb
Size/MD5 checksum: 99598 800ea1d003baf1e348fda3b661fc16ed
http://security.debian.org/pool/updates/main/g/git-core/git-doc_1.4.4.4-4+etch1_all.deb
Size/MD5 checksum: 453076 4d102f5051116516cf4cc45b10637871
http://security.debian.org/pool/updates/main/g/git-core/git-email_1.4.4.4-4+etch1_all.deb
Size/MD5 checksum: 62792 201df12660ca0b6180e5fa3c5e0a3543
http://security.debian.org/pool/updates/main/g/git-core/git-arch_1.4.4.4-4+etch1_all.deb
Size/MD5 checksum: 68508 1489a2af3d016ff8b1a4c612365870b8
http://security.debian.org/pool/updates/main/g/git-core/git-cvs_1.4.4.4-4+etch1_all.deb
Size/MD5 checksum: 94516 afef0aca9b13d1d50af28cbb0d9cc1aa
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1_alpha.deb
Size/MD5 checksum: 3101926 6422c5ad17a7248820c3c27195051b0c
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1_amd64.deb
Size/MD5 checksum: 2642144 b81b341dce9b234eb193d40decd1283b
arm architecture (ARM)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1_arm.deb
Size/MD5 checksum: 2322772 d5c371c8f6f3923edaf880df795870e4
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1_hppa.deb
Size/MD5 checksum: 2693958 c519a9e4cfeda0f11fe92e23756c6759
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1_i386.deb
Size/MD5 checksum: 2340718 94abafaa8e010240a6a2da50ca717217
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1_ia64.deb
Size/MD5 checksum: 3815660 9b0970058eecaf9abd12e5cc472d0434
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1_mips.deb
Size/MD5 checksum: 2784146 b345d0ffd96b307025924f99fed33e9e
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1_mipsel.deb
Size/MD5 checksum: 2801244 7067901dea12981db4f09e186888e5b3
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1_powerpc.deb
Size/MD5 checksum: 2638996 23afd3d0fc61699d0850793c2dbd0047
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1_s390.deb
Size/MD5 checksum: 2628016 8f29e9b8b465bf570e8ee7bf78e3437d
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch1_sparc.deb
Size/MD5 checksum: 2301444 93f43ba8edfb78438a6d7d66b96e4816
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJJdOgyAAoJEL97/wQC1SS+aaAIAKft8eWfOYqWyNxCeWRoD+v9
Y83tWBlrIoVkEJQqwm/l5L2YVlzZ0uEE7w/OxOVg31SmibwBsnx1OF2IefSmryHe
kUM2TIHfA4/V0kjgs8E1IaQT/3TSRWmSfgQPlUACti4ijsWU/o4pDreyFh+fa0sN
pldwxqxojCo8QVlosJDII8wyZ75DjMlam2UujQAbZrdd7j16SHh/LfZ0vbxTO+PX
mqAOMicVz2b/1IFYjL4YK0NThxvyivtTVT8Nc7nb7As8kUZAF+Uu3yvXFzavObBQ
6Qs6rCThVf+HXE6pDw3MmDU869pfP4H8Irxh6Jy6/2gaJcjNXVqCuCA+v44CJqg=
=6LbJ
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSXUb6yh9+71yA2DNAQIkFQP/WaN/+uxvt92dV6lJkz6D8p3Kwfa5kAzd
XgQKlZIuACyKXAWKE/EIgmW/bkoo7HCutzHQ1LgMv1a3ui+Hpb2MPvQZJyEtwAyX
QHJ8oi1xcMRbwsxkik6rQa8P09snTRoTObs4b4mbcIXIEo2WuY+p4LkXiMRajXI+
pcBd6/HW64g=
=l4KE
-----END PGP SIGNATURE-----