FEDORA-2019-1cec196e20 created by tmz 4 months ago for Fedora 30
stable

Per the upstream release announcement¹, this release fixes "various security flaws, which allowed an attacker to overwrite arbitrary paths, remotely execute code, and/or overwrite files in the .git/ directory etc. See the release notes attached for the list for their descriptions and CVE identifiers."

Refer to the 2.14.6 release notes² for details on these vulnerabilities.

¹ https://lore.kernel.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/
² https://www.kernel.org/pub/software/scm/git/docs/RelNotes/2.14.6.txt

How to install

sudo dnf upgrade --advisory=FEDORA-2019-1cec196e20

This update has been submitted for testing by tmz.

4 months ago

This update's test gating status has been changed to 'waiting'.

4 months ago

This update's test gating status has been changed to 'ignored'.

4 months ago

tmz edited this update.

4 months ago

This update has been pushed to testing.

4 months ago

tmz edited this update.

4 months ago
User Icon mgrabovs commented & provided feedback 4 months ago
karma

Works great.

User Icon mgrabovs commented & provided feedback 4 months ago
karma

Seems to work great.

User Icon mgrabovs commented & provided feedback 4 months ago
karma

Seems to work great.

This update's test gating status has been changed to 'greenwave_failed'.

4 months ago

This update's test gating status has been changed to 'ignored'.

4 months ago

This update can be pushed to stable now if the maintainer wishes

4 months ago

This update has been submitted for stable by bodhi.

4 months ago
User Icon flo commented & provided feedback 4 months ago
karma

works fine for me

User Icon flo commented & provided feedback 4 months ago
karma

works fine for me

FEDORA-2019-1cec196e20 ejected from the push because "Cannot find relevant tag for git-2.21.1-1.fc30. None of ['f30-updates', 'f30-updates-pending'] are in ['dist-6E-epel-testing', 'epel7-testing', 'dist-5E-epel-testing', 'f27-modular-updates-testing', 'f30-modular-updates-testing', 'f30-container-updates-testing', 'f30-flatpak-updates-testing', 'f28-modular-updates-testing', 'f28-container-updates-testing', 'epel8-testing', 'f31-modular-updates-testing', 'f32-container-updates-testing', 'f31-container-updates-testing', 'f31-flatpak-updates-testing', 'f29-modular-updates-testing', 'f29-container-updates-testing', 'f29-flatpak-updates-testing', 'f22-updates-testing', 'f21-updates-testing', 'f25-updates-testing', 'f24-updates-testing', 'f23-updates-testing', 'f26-updates-testing', 'f27-updates-testing', 'f30-updates-testing', 'f28-updates-testing', 'f31-updates-testing', 'f32-updates-testing', 'f29-updates-testing', 'epel8-modular-updates-testing']."

3 months ago

This update has been pushed to stable.

3 months ago

Please login to add feedback.

Metadata
Type
security
Severity
high
Karma
2
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
6
Stable by Time
14 days
Dates
submitted
4 months ago
in testing
4 months ago
in stable
3 months ago
modified
4 months ago
BZ#1781127 CVE-2019-1387 git: Remote code execution in recursive clones with nested submodules
0
0
BZ#1781143 CVE-2019-1349 git: Recursive submodule cloning allows using git directory twice with synonymous directory name written in .git/
0
0
BZ#1781953 CVE-2019-1348 git: Arbitrary path overwriting via export-marks in-stream command feature
0
0
BZ#1781954 CVE-2019-1387 git: remote code execution in recursive clones with nested submodules [fedora-all]
0
0
BZ#1781955 CVE-2019-1348 git: Arbitrary path overwriting via export-marks command option [fedora-all]
0
0
BZ#1781957 CVE-2019-1349 git: recursive submodule cloning allows using git directory twice with synonymous directory name written in .git/ [fedora-all]
0
0
BZ#1781958 CVE-2019-1350 git: Incorrect quoting of command-line arguments allowed remote code execution during a recursive clone
0
0
BZ#1781959 CVE-2019-1350 git: Incorrect quoting of command-line arguments allowed remote code execution during a recursive clone [fedora-all]
0
0
BZ#1781960 CVE-2019-1351 git: Git mistakes some paths for relative paths allowing writing outside of the worktree while cloning
0
0
BZ#1781961 CVE-2019-1351 git: Git mistakes some paths for relative paths allowing writing outside of the worktree while cloning [fedora-all]
0
0
BZ#1781963 CVE-2019-1352 git: Files inside the .git directory may be overwritten during cloning via NTFS Alternate Data Streams
0
0
BZ#1781964 CVE-2019-1352 git: Files inside the .git directory may be overwritten during cloning via NTFS Alternate Data Streams [fedora-all]
0
0
BZ#1781966 CVE-2019-1353 git: NTFS protections inactive when running Git in the Windows Subsystem for Linux
0
0
BZ#1781967 CVE-2019-1353 git: NTFS protections inactive when running Git in the Windows Subsystem for Linux [fedora-all]
0
0
BZ#1781968 CVE-2019-1354 git: Git does not refuse to write out tracked files with backlashes in filenames
0
0
BZ#1781969 CVE-2019-1354 git: Git does not refuse to write out tracked files with backlashes in filenames [fedora-all]
0
0
BZ#1781971 CVE-2019-19604 git: Recursive clone followed by a submodule update could execute code contained within repository without the user explicitly consent
0
0
BZ#1781972 CVE-2019-19604 git: Recursive clone followed by a submodule update could execute code contained within repository without the user explicitly consent [fedora-all]
0
0

Automated Test Results