These releases are about hardening
git shell that is used on servers against an unsafe user input, which
git cvsserver copes with poorly.
From the release notes:
* "git cvsserver" no longer is invoked by "git shell" by default, as it is old and largely unmaintained. * Various Perl scripts did not use safe_pipe_capture() instead of backticks, leaving them susceptible to end-user input. They have been corrected. Credits go to joernchen <firstname.lastname@example.org> for finding the unsafe constructs in "git cvsserver", and to Jeff King at GitHub for finding and fixing instances of the same issue in other scripts.
sudo dnf upgrade --advisory=FEDORA-2017-655f0d38c3
Please login to add feedback.