From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id DACDC138330 for ; Wed, 30 May 2018 01:30:24 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 76C3EE082B; Wed, 30 May 2018 01:29:40 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 27249E07F9 for ; Wed, 30 May 2018 01:28:03 +0000 (UTC) Received: from [IPv6:2001:4dd7:bf5a:0:6814:c4c5:967b:b2e5] (2001-4dd7-bf5a-0-6814-c4c5-967b-b2e5.ipv6dyn.netcologne.de [IPv6:2001:4dd7:bf5a:0:6814:c4c5:967b:b2e5]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: whissi) by smtp.gentoo.org (Postfix) with ESMTPSA id EC76B335C30 for ; Wed, 30 May 2018 01:28:00 +0000 (UTC) To: gentoo-announce@lists.gentoo.org Reply-To: security@gentoo.org From: Thomas Deutschmann Subject: [gentoo-announce] [ GLSA 201805-13 ] Git: Multiple vulnerabilities Openpgp: preference=signencrypt Autocrypt: addr=whissi@gentoo.org; prefer-encrypt=mutual; keydata= xsFNBFc4iggBEACg/drq2pkXyE0mO7cqfaH5UX9D2A8uaBWHcgVPZdf+bVlc7gT1b/TJgFBO yCecB1j9ReWWAE55nwraFL7+5XofRnwVzC3PglN/M/F02fudCeEkFfDtH65DZ67LV0QqXOZ7 e2aqD1NxJM1ydcehIoxgESiv8ctMCcb5Jui2A7vddxEBouQqJKDVqXqANEiBrtd0x4+noRC3 07BN80SgUiwuSJp8Y9+LSdKWGxiDxFAQygDlLWu1QIOg2PUjrM1ZtKCii8IcbnhsEPZj0jcQ f/omIHaksyfMdx6lHfSUZzzLQm41nhWlgYUxzW4D8Nh+ka51FIIWRWwNJTXQNpU8s32AT+rr K2hyNY0F+hnCRc0gUJtAACPZYNYNMlTCIb5yLKo5qoRKcHkAI3vAPEsPO8nmpYaxhI+9PwWJ 9BMaOZ0PjN5P5p0ierOd3yjuu0CIx+yirAvZMZYLx3HylFmuIke5GfcfzTuZhgRL1yoaftCH B0zTc1Rmfgk5dLOPeApgH4E8k3K7OIagzpMXjPsyvdBdI2z/j8unZNvPT5uMCAA9yP7TxijH JeNa6MZyDebzfF+QTK1tOL5pWZolCFKOULHIWK9nX2B3/JJ4r7+5wUmob5UCjKCxjK9xunY5 8TzbpaV517MaLVk1kYuFRptqwRYRJ45l1+qcYwkhUcC+qg06PQARAQABzStUaG9tYXMgRGV1 dHNjaG1hbm4gPHRob21hc0BkZXV0c2NobWFubi5iaXo+wsGABBMBCgAqAhsAAh4BAheABQkH hiUCBQsJCAcDBRUKCQgLBRYDAgEABQJXOfYKAhkBAAoJEFhJfuUdXXSlwnQQAIDi4tsMwzw5 ZY3wSs+E6c37W6i2WGgHvN6MOCxR6qthV3fVL3Q4E4EV8DoGHLLA8rs/OYbJs1aSxF8Omlys +sFiVysrMz1NNL7MGbZ/Ov1CpQqRH+6LFzVVcf3dBGqsI3kXg9aUNw2zETIj0ZyCb+VKZ3yC 1DOVFlmGjaH3DtPCJrfEGfcaweFyn2Azljaot9Dg0ExzmAqwohESQNCfSBYhUC0Mc0HiRtzd 1pTIVSmFDTToztnofsLrkMpciNGaj6D7Mm1hZpI41K4IQ6ZKcJDtWduisYNzgafVWvxtGhpY oAVWmO353WafGpbeoP6IVbHQhIcS1JuN1Sn+lM4QtV0GgSgL5j3OtKmRKNiAcZpHX800TX2V 8yUZN3dj2PMU7fzdnVM0MXNwAvOdcckco5zVExn3OHfTxyrUIyEysj01EKCQdZerWjRLnQ7B QR4ff851B+Sl92tVMPBch8WYVZNTwDzsqzKROAe2UnOCTQoVY7OXh6gRblqGuzllMyQ2bZUP V5XLKDpmysb/y43QKSY5aeO8SOKOv+b8kWAXSKzzXnteErhKeAlDm1PKuAfkjq4swOe3nci4 r1r34Ss03Xgt3cJ6Ep3K87qjlLLDwRVyGEgyDiDItHdyEyLGA44pmWLAJzttHMSt3d9/FsTI 2jwwH9GRFg3oMS9PsEURYIU8zsFNBFc4ixMBEADHHlLOkftcSY+jWd9Vb3uHpPGIpztqU/jd 4mPZvrQGIlZYMO+uGtJuDQVdohQHugNvvnr9hfBYDGlhyAYlRIGkFLdZbsim+An+FGr5+f/P tHikILc0X+FbO8bAc0OjNfUlFaTXeKdEBTtdNiO+0WYWw8CtgTEpng+178q4UnTBae1QiBh5 3YmW0H4t8HQEN/NDuVXEREQXwOtJcP9fxDVdP/ynwHbGajx+qbWaQhcHo57XXIsojH5XoEr9 yvviQW6F2tzp/i88YQ1snTVI0G39TzQO2EJbSQpYUptI0PGSUlMbkm4i46XHFO0q15aQSfAg Eh5NWWzwVel7qDO1YmXb49nhg60MmceAhk+1VGxpuA3RNl6hebYzYdQplDo8EJp1MCt+Z4Lt /tzb+smTFRMyE80QzehOSyvIWCSoGmWY4Njc90AV/P/hSXYQqbuRb3sB3PlPGda7ZwPsoh2A WZU331jeBWwB9YnUJFXP4jGbnpXjHO3+RkRL2A39ZzFki751sPpC3jv0sxJhLBOkJlC+VI/7 t5ODzWElimA8Py1VmZfd2C9eBHYU4Eeay1EN7nl75Hsj2436dH9O45uIl838KNXWd4S+7/P5 NqWir9HjnhQwbaLZdJwJKjzDE9u4JvnAP0gmkqYIaNSAM9WfCA11LavNKJjaJNCc4Zkr2+w4 OQARAQABwsF8BBgBCgAmAhsMFiEExN1pX6cTjyQqoVY4WEl+5R1ddKUFAlrJMcoFCQWj8zcA CgkQWEl+5R1ddKW+Qw/+O/saVmYgBdWDc6Y2BzaOA3kRwixAGjMU2VMO5WifG2WkA1zd0kcY 1nR5XKosu/yLWX1WWde8Wh57BDD418JYMSnNyG976OXAeAgWuzmn+xtM8Tw2bHHCNVfCEqBl yS+lAdrXR3kIiJ/Ebr5EogsEZvVW9gowPoNIrzeXFYKqGGVc5Z4dQDgVRq7jgta6LJgOVYdP z6mrLTdjo4lIlC7U/w/dPBWUd0sn8XmtU5vbAfvgf9dfZtXGYnyI64EGr6I6oVyFj8QO/Ffo G/r+glBettColfcT7IiHUMb9i11Sd/FPsL/0EIHWG+a4JTg3QzAODMHF14BLpuqDElV5HlzX e9LafsH45PH/EvAxCNuOj6P1E4bPOHwD0Fhgia7YXi2OJVes9hWy8IrEgwUEDQQIFtECxdFa nkWlKiYyb9v+nqrjtugh6s6OicvAhnvhESky/QSr747tEnOAFTNYXXtz1BRvTu/tcyBK0m51 jW1Gwax+9ooGCnNEF2KknaW/NyLo4mFdvSOJOehcwOHn73G04GHSQSs6+f8Oy7GOriQCdwao aGduFUuKKOR05r5tstZHpuIW9mlL44LXzGQEEt6INpS0ha2XD28+ojXko2hPt7YgbTqOsFnT 34feWglZ58mWE7UyHEVXYeMIWqtQptgCf5fNc36jGay6gt0aLFlgy48= Organization: Gentoo Foundation, Inc Message-ID: Date: Wed, 30 May 2018 03:27:50 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:21.0) Gecko/20100101 Thunderbird/52.6.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="mB6S9vpwAE4ZsSQnQKoAAWocJYG6zTCSk" X-Archives-Salt: 5b27fe47-c3b6-4593-a872-050c2284f53a X-Archives-Hash: 98a399083a4fcea204480f166cd4680d This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --mB6S9vpwAE4ZsSQnQKoAAWocJYG6zTCSk Content-Type: multipart/mixed; boundary="NoxiSoMGGRT9r7X82WupYz6IvqDjV8ZOn"; protected-headers="v1" From: Thomas Deutschmann Reply-To: security@gentoo.org To: gentoo-announce@lists.gentoo.org Message-ID: Subject: [ GLSA 201805-13 ] Git: Multiple vulnerabilities --NoxiSoMGGRT9r7X82WupYz6IvqDjV8ZOn Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201805-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Git: Multiple vulnerabilities Date: May 30, 2018 Bugs: #656868 ID: 201805-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis =3D=3D=3D=3D=3D=3D=3D=3D Git contains multiple vulnerabilities that allow for the remote execution of arbitrary code. Background =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency. Affected packages =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-vcs/git < 2.16.4 >=3D 2.16.4 Description =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Multiple vulnerabilities have been discovered in Git. Please review the CVE identifiers referenced below for details. Impact =3D=3D=3D=3D=3D=3D Remote attackers could execute arbitrary code on both client and server. Workaround =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D There is no known workaround at this time. Resolution =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D All Git users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=3Ddev-vcs/git-2.16.4" References =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D [ 1 ] CVE-2018-11233 https://nvd.nist.gov/vuln/detail/CVE-2018-11233 [ 2 ] CVE-2018-11235 https://nvd.nist.gov/vuln/detail/CVE-2018-11235 Availability =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201805-13 Concerns? =3D=3D=3D=3D=3D=3D=3D=3D=3D Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License =3D=3D=3D=3D=3D=3D=3D Copyright 2018 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 --NoxiSoMGGRT9r7X82WupYz6IvqDjV8ZOn-- --mB6S9vpwAE4ZsSQnQKoAAWocJYG6zTCSk Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQKTBAEBCgB9FiEEM8WEgsQCKS0uPFwGlwn5DDyW/8gFAlsN/htfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDMz QzU4NDgyQzQwMjI5MkQyRTNDNUMwNjk3MDlGOTBDM0M5NkZGQzgACgkQlwn5DDyW /8g3vxAAraQWkPtW9MY2s+RPI2alpxaqVm4/uuXsGe8YAgYsYK6bZ1Jx1sMBEBzc Q/wUdJeDCFQcVhGkj52TJ0w3bMfE+SgazXNHQh6gcp1LULWcBKsnlE1DBRU4useT Nv44SiAEWETF+d3n+lrKF0E1+0AjGf8lwMxXiEohBrpM7ZSLoVBLRVMXY4iMSBSo 0nmVCnmvIcC4J5s5wVONua15eA4AuX9/mNuAC1rW1prVehZPPcrXi8qAD2Y21nTj 0h+Apl6TU0p6rGd4IpSP8NZqMTeivWhmfc9N5NqbDJUz7QxWytUyOHOdR82l5tgo BXRm9XMnZ2XqyIwJ1tGpfUvLgm5SBBaptuK/jtcTSqqvQ1tk5Y6UWQ2KNwtEEsiv NrL9Uo9eKVQxcC0WD8LhfqxzuIbVeE5CFQzPXMWZxt34npwe+iese7JXvvKGIhoo enpW7zy0/1+IeL/Wp7yO3tw6jWB68kYv0Td2Sa4486Gv0j4ewucI4Dzlnz6+H4HS kYUJEVy7vizptkzi1JBnde38SKqA46+Ly7wcQLVD17qxN1bycPR+O4O9ekhrGf1R NsQODw1JoGrJgVOAmwpRaL0pDhOCqyJMTfbeM0axY2QU9qEyV9LHofHUPMrL+QTg ikO1yCoPokCIujM4Qsu0j1gAQ3XIK2KQh8ijp6BbOPBw3NcotzE= =htf0 -----END PGP SIGNATURE----- --mB6S9vpwAE4ZsSQnQKoAAWocJYG6zTCSk--