Ubuntu
git package

Please update Git to get the fix to CVE-2017-1000117

Bug #1710016 reported by Jonathan Nieder on 2017-08-10

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	git (Ubuntu)	Fix Released	Undecided	Unassigned

A security bugfix was released today to Git: https://<email address hidden>/T/#u.

Without it, cloning an attacker-controlled ssh:// URL (either directly or indirectly via submodules) leads to arbitrary code execution.

Revision history for this message

Jonathan Nieder (jrnieder) wrote on 2017-08-10:

+linkcve doesn't like the shape of 2017-1000117 or CVE-2017-1000117 so I can't link it.

information type:

Private Security → Public Security

Revision history for this message

Steve Beattie (sbeattie) wrote on 2017-08-11:

This has been addressed for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 17.04 in https://usn.ubuntu.com/usn/usn-3387-1/.

Thanks!

Revision history for this message

Jonathan Nieder (jrnieder) wrote on 2017-08-11:

Thanks. Is there a reason zesty has custom security patches instead of reusing the work from Debian stretch?

Marc Deslauriers (mdeslaur) on 2017-08-18

Changed in git (Ubuntu):
status:	New → Fix Released

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Bug watches keep track of this bug in other bug trackers.