[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Savannah-hackers-public] Git CVE-2017-8386 (auth bypass via git-she
|
From: |
Leo Famulari |
|
Subject: |
Re: [Savannah-hackers-public] Git CVE-2017-8386 (auth bypass via git-shell) |
|
Date: |
Wed, 7 Jun 2017 18:24:35 -0400 |
|
User-agent: |
Mutt/1.8.3 (2017-05-23) |
On Wed, Jun 07, 2017 at 09:54:54PM +0000, Assaf Gordon wrote:
> Hello
>
> On Wed, Jun 07, 2017 at 04:39:59PM -0400, Leo Famulari wrote:
>
> > CVE-2017-8386 [0] was recently fixed for Git. This bug allows remote users
> > to bypass authentication restrictions in git-shell [...]
> > Does Savannah use git-shell? Has anybody looked into this yet?
>
> Thank you for alerting us to this issue.
>
> Savannah does use 'git-shell',
> but we're also using a standard GNU/Linux distribution,
> and the fixed version was already in place as part
> of the automatic daily security updates
> (verified manually by Bob Proulx, just now).
Awesome, thanks for double-checking.
> Please do continue to send us such alerts if they seem relevant -
> another look can never hurt.
>
> If you (or others) discover a new vulnerability with savannah,
> we encourage everyone to report it to us private at:
> savannah-hackers-private (at) gnu (dot) org .
> We will work with you quickly to resolve it,
> and then of course make it public.
Okay, I'll do that in the future.
signature.asc
Description: PGP signature