These releases are about hardening git shell
that is used on servers against an unsafe user input, which git cvsserver
copes with poorly.
From the release notes:
* "git cvsserver" no longer is invoked by "git shell" by default,
as it is old and largely unmaintained.
* Various Perl scripts did not use safe_pipe_capture() instead of
backticks, leaving them susceptible to end-user input. They have
been corrected.
Credits go to joernchen <joernchen@phenoelit.de> for finding the
unsafe constructs in "git cvsserver", and to Jeff King at GitHub for
finding and fixing instances of the same issue in other scripts.
References:
http://seclists.org/oss-sec/2017/q3/534
https://public-inbox.org/git/xmqqy3p29ekj.fsf@gitster.mtv.corp.google.com/
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
sudo dnf upgrade --refresh --advisory=FEDORA-2017-655f0d38c3
Please login to add feedback.
This update has been submitted for testing by tmz.
works
This update has been pushed to testing.
No issues
Works great! LGTM! =)
This update has been submitted for stable by bodhi.
This update has been pushed to stable.