FEDORA-2017-8ba7572cfd

security update in Fedora 25 for git

Status: stable 2 years ago

Resolve an arbitrary code execution vulnerability via crafted "ssh://" URL (CVE-2017-1000117).

From the release announcement:

A malicious third-party can give a crafted "ssh://..." URL to an
unsuspecting victim, and an attempt to visit the URL can result in
any program that exists on the victim's machine being executed.
Such a URL could be placed in the .gitmodules file of a malicious
project, and an unsuspecting victim could be tricked into running
"git clone --recurse-submodules" to trigger the vulnerability.

Credits to find and fix the issue go to Brian Neel at GitLab, Joern
Schneeweisz of Recurity Labs and Jeff King at GitHub.

Comments 7

This update has been submitted for testing by tmz.

This update has been pushed to testing.

I been waiting for this update. LGTM

karma: +1 critpath: +1 #1480386: +1

LGTM

karma: +1 critpath: +1 #1480386: +1

Works

karma: +1

This update has been submitted for stable by bodhi.

This update has been pushed to stable.

Add Comment & Feedback

Please login to add feedback.

Content Type
RPM
Status
stable
Test Gating
Submitted by
Update Type
security
Update Severity
high
Karma
+3
stable threshold: 3
unstable threshold: -3
Autopush (karma)
Enabled
Autopush (time)
Disabled
Dates
submitted 2 years ago
in testing 2 years ago
in stable 2 years ago

Related Bugs 1

0+2 #1480386 CVE-2017-1000117 git: Command injection via malicious ssh URLs

Automated Test Results