[Savannah-hackers-public] Git CVE-2017-8386 (auth bypass via git-shell)

savannah-hackers-public

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-hackers-public] Git CVE-2017-8386 (auth bypass via git-shell)

From:	Leo Famulari
Subject:	[Savannah-hackers-public] Git CVE-2017-8386 (auth bypass via git-shell)
Date:	Wed, 7 Jun 2017 16:39:59 -0400
User-agent:	Mutt/1.8.3 (2017-05-23)

Dear Savannah,

CVE-2017-8386 [0] was recently fixed for Git. This bug allows remote users
to bypass authentication restrictions in git-shell and possibly have
other impacts.

This bug was fixed in upstream Git maintenance releases Git v2.4.12,
v2.5.6, v2.6.7, v2.7.5, v2.8.5, v2.9.4, v2.10.3, v2.11.2, and v2.12.3.
Apparently, 2.12.3 included some more unnamed security fixes:

http://marc.info/?l=linux-kernel&m=149437481723960&w=2

Does Savannah use git-shell? Has anybody looked into this yet?

[0]
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8386
Fix commit:
https://git.kernel.org/pub/scm/git/git.git/commit/?id=3ec804490a265f4c418a321428c12f3f18b7eff5

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[Savannah-hackers-public] Git CVE-2017-8386 (auth bypass via git-shell), Leo Famulari <=
- Re: [Savannah-hackers-public] Git CVE-2017-8386 (auth bypass via git-shell), Assaf Gordon, 2017/06/07
  - Re: [Savannah-hackers-public] Git CVE-2017-8386 (auth bypass via git-shell), Leo Famulari, 2017/06/07

Prev by Date: Re: [Savannah-hackers-public] fcgiwrap daemon failure and mitigation - added cgi 'ping' script
Next by Date: Re: [Savannah-hackers-public] Git CVE-2017-8386 (auth bypass via git-shell)
Previous by thread: [Savannah-hackers-public] fcgiwrap daemon failure and mitigation
Next by thread: Re: [Savannah-hackers-public] Git CVE-2017-8386 (auth bypass via git-shell)
Index(es):
- Date
- Thread