[Bug 1719740] Re: [CVE] Git cvsserver OS Command Injection
This bug was fixed in the package git - 1:2.11.0-2ubuntu0.3 --- git (1:2.11.0-2ubuntu0.3) zesty-security; urgency=high * SECURITY UPDATE: Git cvsserver OS Command Injection (LP: #1719740) - shell-drop-git-cvsserver-support-by-default.diff - cvsserver-use-safe_pipe_capture.diff - cvsimport-shell-quote-variable-used-in-backticks.diff - archimport-use-safe_pipe_capture-for-user-input.diff - CVE-2017-14867 -- Simon QuigleyTue, 03 Oct 2017 13:02:47 -0500 ** Changed in: git (Ubuntu Zesty) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719740 Title: [CVE] Git cvsserver OS Command Injection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1719740/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719740] Re: [CVE] Git cvsserver OS Command Injection
This bug was fixed in the package git - 1:2.7.4-0ubuntu1.3 --- git (1:2.7.4-0ubuntu1.3) xenial-security; urgency=high * SECURITY UPDATE: Git cvsserver OS Command Injection (LP: #1719740) - shell-drop-git-cvsserver-support-by-default.diff - cvsserver-use-safe_pipe_capture.diff - cvsimport-shell-quote-variable-used-in-backticks.diff - archimport-use-safe_pipe_capture-for-user-input.diff - CVE-2017-14867 -- Simon QuigleyTue, 03 Oct 2017 13:14:37 -0500 ** Changed in: git (Ubuntu Xenial) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719740 Title: [CVE] Git cvsserver OS Command Injection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1719740/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719740] Re: [CVE] Git cvsserver OS Command Injection
This bug was fixed in the package git - 1:1.9.1-1ubuntu0.7 --- git (1:1.9.1-1ubuntu0.7) trusty-security; urgency=high * SECURITY UPDATE: Git cvsserver OS Command Injection (LP: #1719740) - shell-drop-git-cvsserver-support-by-default.diff - cvsserver-use-safe_pipe_capture.diff - cvsimport-shell-quote-variable-used-in-backticks.diff - archimport-use-safe_pipe_capture-for-user-input.diff - CVE-2017-14867 -- Simon QuigleyTue, 03 Oct 2017 13:20:58 -0500 ** Changed in: git (Ubuntu Trusty) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719740 Title: [CVE] Git cvsserver OS Command Injection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1719740/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719740] Re: [CVE] Git cvsserver OS Command Injection
This bug was fixed in the package git - 1:2.14.1-1ubuntu4 --- git (1:2.14.1-1ubuntu4) artful; urgency=high * SECURITY UPDATE: Git cvsserver OS Command Injection (LP: #1719740) - shell-drop-git-cvsserver-support-by-default.diff - cvsserver-use-safe_pipe_capture.diff - cvsimport-shell-quote-variable-used-in-backticks.diff - archimport-use-safe_pipe_capture-for-user-input.diff - CVE-2017-14867 -- Simon QuigleyTue, 26 Sep 2017 19:11:26 -0500 ** Changed in: git (Ubuntu Artful) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719740 Title: [CVE] Git cvsserver OS Command Injection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1719740/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719740] Re: [CVE] Git cvsserver OS Command Injection
ACK on the zesty debdiff, thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719740 Title: [CVE] Git cvsserver OS Command Injection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1719740/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719740] Re: [CVE] Git cvsserver OS Command Injection
Attached is a debdiff for Zesty applicable to 1:2.11.0-2ubuntu0.2. I tested it in a LXD container and it works as intended with no apparent regressions. ** Patch added: "1-2.11.0-2ubuntu0.3.debdiff" https://bugs.launchpad.net/ubuntu/+source/git/+bug/1719740/+attachment/4961735/+files/1-2.11.0-2ubuntu0.3.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719740 Title: [CVE] Git cvsserver OS Command Injection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1719740/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719740] Re: [CVE] Git cvsserver OS Command Injection
** Changed in: git (Ubuntu Artful) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719740 Title: [CVE] Git cvsserver OS Command Injection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1719740/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719740] Re: [CVE] Git cvsserver OS Command Injection
OK, as pointed out on irc, commit 31add46823fe926e85efbfeab865e366018b33b4 does contain the three others. Looks good, thanks! Uploading now. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719740 Title: [CVE] Git cvsserver OS Command Injection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1719740/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719740] Re: [CVE] Git cvsserver OS Command Injection
Hi Simon, I think you're missing a few commits. Here is the list of commits Debian has added: http://repo.or.cz/git/debian.git/commit/ad86ba2e77a442db38510bcc5e5283872df49d88 Also, you don't need to change the patch headers, just leave the original git commit headers there. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719740 Title: [CVE] Git cvsserver OS Command Injection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1719740/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719740] Re: [CVE] Git cvsserver OS Command Injection
** Summary changed: - [DSA 3984-1] Git cvsserver OS Command Injection + [CVE] Git cvsserver OS Command Injection -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719740 Title: [CVE] Git cvsserver OS Command Injection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1719740/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs