[Bug 1774061] Re: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules
Launchpad Bug Tracker
1774061 at bugs.launchpad.net
Tue Jun 5 21:09:09 UTC 2018
This bug was fixed in the package git - 1:2.17.1-1ubuntu0.1
---------------
git (1:2.17.1-1ubuntu0.1) bionic-security; urgency=low
* SECURITY UPDATE: arbitrary code execution via submodule names
in .gitsubmodules.
- CVE-2018-11235
* SECURITY UPDATE: out-of-bounds memory when sanity-checking
pathnames on NTFS
- CVE-2018-11233
* Merge from Debian (LP: #1774061). Remaining changes:
- debian/control: build against pcre v3 only
- debian/rules: s390x libpcre3 library has JIT disabled, set
NO_LIBPCRE1_JIT on that arch to stop the build from failing.
git (1:2.17.1-1) unstable; urgency=high
* new upstream point release to fix CVE-2018-11235, arbitary code
execution via submodule names in .gitmodules (see RelNotes/2.17.1.txt).
-- Steve Beattie <sbeattie at ubuntu.com> Thu, 31 May 2018 10:50:28 -0700
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to git in Ubuntu.
https://bugs.launchpad.net/bugs/1774061
Title:
git: CVE-2018-11235 arbitary code execution via submodule names in
.gitmodules
Status in git package in Ubuntu:
Fix Released
Bug description:
Git v2.17.1, v2.13.7, v2.14.4, v2.15.2 and v2.16.4 contain a fix for CVE 2018-11235 announced here:
https://public-inbox.org/git/xmqqy3g2flb6.fsf@gitster-ct.c.googlers.com/
Debian has fixed packages here: https://security-
tracker.debian.org/tracker/CVE-2018-11235
I could not find the fixed packages for Ubuntu, the Ubuntu link on the
above debian tracker results in a 404, and there is no newer package
available in the repository for 18.04 LTS.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/git/+bug/1774061/+subscriptions
More information about the foundations-bugs
mailing list