These releases are about hardening git shell
that is used on servers against an unsafe user input, which git cvsserver
copes with poorly.
From the release notes:
* "git cvsserver" no longer is invoked by "git shell" by default,
as it is old and largely unmaintained.
* Various Perl scripts did not use safe_pipe_capture() instead of
backticks, leaving them susceptible to end-user input. They have
been corrected.
Credits go to joernchen <joernchen@phenoelit.de> for finding the
unsafe constructs in "git cvsserver", and to Jeff King at GitHub for
finding and fixing instances of the same issue in other scripts.
References:
http://seclists.org/oss-sec/2017/q3/534
https://public-inbox.org/git/xmqqy3p29ekj.fsf@gitster.mtv.corp.google.com/
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
sudo dnf upgrade --refresh --advisory=FEDORA-2017-9b35152c83
Please login to add feedback.
This update has been submitted for testing by tmz.
This update has been pushed to testing.
seems ok here
wfm
works for me
This update has been submitted for stable by bodhi.
This update has been pushed to stable.