FEDORA-2017-b1b3ae6666

security update in Fedora 26 for git

Status: stable 2 years ago

Resolve an arbitrary code execution vulnerability via crafted "ssh://" URL (CVE-2017-1000117).

From the release announcement:

A malicious third-party can give a crafted "ssh://..." URL to an
unsuspecting victim, and an attempt to visit the URL can result in
any program that exists on the victim's machine being executed.
Such a URL could be placed in the .gitmodules file of a malicious
project, and an unsuspecting victim could be tricked into running
"git clone --recurse-submodules" to trigger the vulnerability.

Credits to find and fix the issue go to Brian Neel at GitLab, Joern
Schneeweisz of Recurity Labs and Jeff King at GitHub.

Comments 8

This update has been submitted for testing by tmz.

This update has been pushed to testing.

Works

karma: +1

Works for me. No regressions noted compared to previous version.

karma: +1

works for me

karma: +1

This update has been submitted for stable by bodhi.

This update has been pushed to stable.

LGTM

karma: +1 critpath: +1 #1480386: +1

Add Comment & Feedback

Please login to add feedback.

Content Type
RPM
Status
stable
Test Gating
Submitted by
Update Type
security
Update Severity
high
Karma
+4
stable threshold: 3
unstable threshold: -3
Autopush (karma)
Enabled
Autopush (time)
Disabled
Dates
submitted 2 years ago
in testing 2 years ago
in stable 2 years ago

Related Bugs 1

0+1 #1480386 CVE-2017-1000117 git: Command injection via malicious ssh URLs

Automated Test Results