Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4599 git security update 11 December 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: git Publisher: Debian Operating System: Debian GNU/Linux 9 Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Overwrite Arbitrary Files -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-19604 CVE-2019-1387 CVE-2019-1353 CVE-2019-1352 CVE-2019-1349 CVE-2019-1348 Reference: ESB-2019.4211 ESB-2019.3242 Original Bulletin: http://www.debian.org/security/2019/dsa-4581 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4581-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso December 10, 2019 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : git CVE ID : CVE-2019-1348 CVE-2019-1349 CVE-2019-1352 CVE-2019-1353 CVE-2019-1387 CVE-2019-19604 Several vulnerabilities have been discovered in git, a fast, scalable, distributed revision control system. CVE-2019-1348 It was reported that the --export-marks option of git fast-import is exposed also via the in-stream command feature export-marks=..., allowing to overwrite arbitrary paths. CVE-2019-1387 It was discovered that submodule names are not validated strictly enough, allowing very targeted attacks via remote code execution when performing recursive clones. CVE-2019-19604 Joern Schneeweisz reported a vulnerability, where a recursive clone followed by a submodule update could execute code contained within the repository without the user explicitly having asked for that. It is now disallowed for `.gitmodules` to have entries that set `submodule.<name>.update=!command`. In addition this update addresses a number of security issues which are only an issue if git is operating on an NTFS filesystem (CVE-2019-1349, CVE-2019-1352 and CVE-2019-1353). For the oldstable distribution (stretch), these problems have been fixed in version 1:2.11.0-3+deb9u5. For the stable distribution (buster), these problems have been fixed in version 1:2.20.1-2+deb10u1. We recommend that you upgrade your git packages. For the detailed security status of git please refer to its security tracker page at: https://security-tracker.debian.org/tracker/git Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl3v+DpfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TR6Q/+IWXXUuRm25//+lK49cbuK/+FeJeflX+6jGM6xoCjolI5PytqxycP45xm rYhJfinm4slwb02m6i3nBlWQ1UQrIrJMqx0jYLIsPQy49vKyBrXXG10yTQXY0W6O Cu4UJyt0+vHciE6nCgJTqcHYfEAP8JcuTyVCd//mkKGN3XCWKllc31bTjzWq1OzI ssmZKJhx38uK2M+PyCIIiTHsZioW07j+Z80KbIBjExLRZx+5tggs46F/Az35hyQX Ff39tEPJm3Wx+9YkNBi7IIaRUQeYD8lcUfQydaVGT8qyR4uaAoztU9vWMDKGcMXd paZWr2OHu7q06QrTfbiZ1dnTaC5F88atgu7oy9689+MZjwyMCUCo6rloRCwDA+Sq EZaJYIeFeRM9G04FEwcvAwWiYaYFMbFM2rTh+dKccJArxm3eIvqlyQE+zuqbUkeh AMFKHDJknG3ilnlUZHG5PLWYMUnHRaIzTWEicppwe7RnbtrlMTPFCaVCXW90y2+5 lZAQYeGBh18CF7O5K2OJSFtcypx2Viu6hIARSdzwNsiF5im0iusOYk17XjrbEs3q Bvqf299HRYtzbhKG60BSxgUbFZi5rjMbVKOf5TYc0dGYmT2K1tkIMOkXDXRozjC0 qX4sPRldX+QZAtjJnpDvqmUNwXCpggfGlQFk2Dofph1a/kahwsY= =mFpS - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXfAhBGaOgq3Tt24GAQgVFBAAxZzyggZ10o7f5DPRlVrx4pskRs0ndM1F fUinFi3yTb4NNB85lrQ9wE4gI3UJz/y/6ZEyseVvHlz5e8uKzq0aBkpuMKDuEx4z 5nYQFp0vhaDHjWEIy0iK0FyWh5GDKKRLfH7iwdbbCK9D3Wir4JNXGMsm3zAMxmE9 Wwg/bDTYfGijx1gwMIj+rGkfpK4eP0zMT5qT3OwFD7E4+sktwrVRn5JYsOaANJq0 sRLCFgea/j1jGl471XApZ3zKfNLblree2mDhJxbsFUQA9wJ4jirDFEEXxUPf8/JC +NWsAPedazyenI2WQgWBVAo/vHqHEq+5sDw79S7/LXAkLuRQ8D1ejOgdbccTNvuF HOy/cTycNrWSO6218aAb1g7WsbfbxEp/9XN+0ashPGhWpzYUrCNZiBg1IU8OJXe4 ZUAtbU0YqhErE1Ff0IDTFJErZ1Z9OjP7SnqeBxxJdWXCn2KZqUq0qVomooVS9bLc JvOL0vb0TqjUZ1MMqf5MHlRnRZwCJWDocQt3eCoxixBlghJAnMx5ZCOf6aOmBks9 V8MB/0QUE5uwo+soLCrbc06ykWMaSCjoRuzPQJGUIp/RNj+W6ttKIaNEVrs18ABh c8Vt7CXLn0hBzdmGEOkYmNi/qwYMSMWpV5fVfd2p7FQeBW4U9dndH6SWNOwpSJMt k2mgV5V+RwI= =Ci+5 -----END PGP SIGNATURE-----