stable

git-2.17.1-2.fc28

FEDORA-2018-75f7624a9f created by tmz 6 years ago for Fedora 28

Upstream security fixes related to .gitmodules handling. From the upstream announcement:

* Submodule "names" come from the untrusted .gitmodules file, but we
  blindly append them to $GIT_DIR/modules to create our on-disk repo
  paths. This means you can do bad things by putting "../" into the
  name. We now enforce some rules for submodule names which will cause
  Git to ignore these malicious names (CVE-2018-11235).

  Credit for finding this vulnerability and the proof of concept from
  which the test script was adapted goes to Etienne Stalmans.

* It was possible to trick the code that sanity-checks paths on NTFS
  into reading random piece of memory (CVE-2018-11233).

A preliminary patch to resolve an issue with zlib on aarch64 is also included (#1582555).

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2018-75f7624a9f

This update has been submitted for testing by tmz.

6 years ago

tmz edited this update.

6 years ago

tmz edited this update.

6 years ago

tmz edited this update.

6 years ago
User Icon danniel commented & provided feedback 6 years ago
karma

works

Hi,

I try to install from koji build, but transaction failed : Last metadata expiration check: 0:56:09 ago on Wed 30 May 2018 03:01:12 PM CEST. Error: Problem: problem with installed package git-core-doc-2.17.0-3.fc28.noarch - package git-core-doc-2.17.0-3.fc28.noarch requires git-core = 2.17.0-3.fc28, but none of the providers can be installed - package git-core-doc-2.17.0-1.fc28.noarch requires git-core = 2.17.0-1.fc28, but none of the providers can be installed - cannot install both git-core-2.17.1-2.fc28.x86_64 and git-core-2.17.0-3.fc28.x86_64 - cannot install both git-core-2.17.1-2.fc28.x86_64 and git-core-2.17.0-1.fc28.x86_64 - conflicting requests (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)

infact, git-core-doc not upgrade in fix security update.

User Icon shannara commented & provided feedback 6 years ago
karma

Edit:

Sorry infact i don't show that git-core-doc is noarch package, i forgot to download them.

With git-core-doc and perl-Git work great.

Thanks to work.

This update has been pushed to testing.

6 years ago
User Icon imabug provided feedback 6 years ago
karma
User Icon jgjorgji provided feedback 6 years ago
karma
User Icon mzink commented & provided feedback 6 years ago
karma

Works for me

This update has been submitted for batched by tmz.

6 years ago

This update has been submitted for stable by tmz.

6 years ago
User Icon cserpentis commented & provided feedback 6 years ago
karma

works for me

User Icon defolos commented & provided feedback 6 years ago
karma

works for me too

This update has been pushed to stable.

6 years ago

Please login to add feedback.

Metadata
Type
security
Severity
high
Karma
7
Signed
Content Type
RPM
Test Gating
Autopush Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
6 years ago
in testing
6 years ago
in stable
6 years ago
modified
6 years ago
BZ#1582555 regression in zlib-1.2.11-8: ARM optimizations broke git log on aarch64
0
0
BZ#1583862 CVE-2018-11235 git: arbitrary code execution when recursively cloning a malicious repository
0
0
BZ#1583878 CVE-2018-11235 git: arbitrary code execution when recursively cloning a malicious repository [fedora-all]
0
0
BZ#1583888 CVE-2018-11233 git: path sanity-checks on NTFS can read arbitrary memory
0
0
BZ#1583890 CVE-2018-11233 git: path sanity-checks on NTFS can read arbitrary memory [fedora-all]
0
0

Automated Test Results