lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20100131133524.9FECA3268CA@morgana.loeki.tv>
Date: Sun, 31 Jan 2010 14:35:24 +0100 (CET)
From: Thijs Kinkhorst <thijs@...ian.org>
To: debian-security-announce@...ts.debian.org
Subject: [SECURITY] [DSA 1841-2] New git-core packages fix
	build failure

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1841-2                  security@...ian.org
http://www.debian.org/security/                          Thijs Kinkhorst
January 31, 2010                      http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : git-core
Vulnerability  : several
Problem type   : remote
Debian-specific: no
Debian bug     : 532935
CVE ID         : CVE-2009-2108

A bug in git-core caused the security update in DSA 1841 to fail to
build on a number of architectures Debian supports. This update corrects
the bug and releases builds for all supported architectures. The original
advisory is quoted in full below for reference.

It was discovered that git-daemon which is part of git-core, a popular
distributed revision control system, is vulnerable to denial of service
attacks caused by a programming mistake in handling requests containing
extra unrecognized arguments which results in an infinite loop. While
this is no problem for the daemon itself as every request will spawn a
new git-daemon instance, this still results in a very high CPU consumption
and might lead to denial of service conditions.

For the oldstable distribution (etch), this problem has been fixed in
version 1.4.4.4-4+etch4.

For the stable distribution (lenny), this problem has been fixed in
version 1.5.6.5-3+lenny3.

For the testing distribution (squeeze), this problem has been fixed in
version 1:1.6.3.3-1.

For the unstable distribution (sid), this problem has been fixed in
version 1:1.6.3.3-1.

We recommend that you upgrade your git-core packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4.orig.tar.gz
    Size/MD5 checksum:  1054130 99bc7ea441226f792b6f796a838e7ef0
  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch4.diff.gz
    Size/MD5 checksum:    73235 dc66a5a33f4d839abd293af8e9d1c7f0
  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch4.dsc
    Size/MD5 checksum:      806 4ecf33d79aef69bd3ee67e39bd2e5603

Architecture independent packages:

  http://security.debian.org/pool/updates/main/g/git-core/gitk_1.4.4.4-4+etch4_all.deb
    Size/MD5 checksum:    99956 bb358ac7ca0a4ff838d3b649fc280ac5
  http://security.debian.org/pool/updates/main/g/git-core/git-cvs_1.4.4.4-4+etch4_all.deb
    Size/MD5 checksum:    94344 35222422017d16424d60b572d448b2ed
  http://security.debian.org/pool/updates/main/g/git-core/git-svn_1.4.4.4-4+etch4_all.deb
    Size/MD5 checksum:   101186 e50e5c5b047fd40306ec79177fb1e27b
  http://security.debian.org/pool/updates/main/g/git-core/git-email_1.4.4.4-4+etch4_all.deb
    Size/MD5 checksum:    63440 1ce3e8f130c61118e15f50fbea98f745
  http://security.debian.org/pool/updates/main/g/git-core/git-arch_1.4.4.4-4+etch4_all.deb
    Size/MD5 checksum:    69120 555d3f7a0f717f022b837ec218840b5b
  http://security.debian.org/pool/updates/main/g/git-core/gitweb_1.4.4.4-4+etch4_all.deb
    Size/MD5 checksum:    88662 089131cbe345889f72b524e8d0c657ed
  http://security.debian.org/pool/updates/main/g/git-core/git-daemon-run_1.4.4.4-4+etch4_all.deb
    Size/MD5 checksum:    55972 d06f9e25da08588e38b2c0a6fa346c4a
  http://security.debian.org/pool/updates/main/g/git-core/git-doc_1.4.4.4-4+etch4_all.deb
    Size/MD5 checksum:   466846 3bef63b0904636416641058a04814b10

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch4_alpha.deb
    Size/MD5 checksum:  3088230 4515c64cfea5951473db08b8cc3435d3

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch4_amd64.deb
    Size/MD5 checksum:  2632004 b044de6564162f32353d84343e1e41ae

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch4_arm.deb
    Size/MD5 checksum:  2320858 3ed0f7b8c366351121fc9534df90d328

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch4_hppa.deb
    Size/MD5 checksum:  2694200 17f793cb6d02e633053f18d820ed63b1

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch4_i386.deb
    Size/MD5 checksum:  2349876 2c0d7e7f67af0f3d956626e4bf9c61a6

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch4_ia64.deb
    Size/MD5 checksum:  3815920 54305a771f4728607741fc91825abd60

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch4_mips.deb
    Size/MD5 checksum:  2769740 ff6077a27445fa6be6dc6df8d7a412ae

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch4_mipsel.deb
    Size/MD5 checksum:  2801552 d4a45ed2e6e0907d4a9b176ca9943e1d

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch4_powerpc.deb
    Size/MD5 checksum:  2639258 1626503d70b23864cc452876643b4b77

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch4_s390.deb
    Size/MD5 checksum:  2628348 7c6ba1577e3019fb36b9cd1e3b1ad9e0

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch4_sparc.deb
    Size/MD5 checksum:  2298750 ae0ebfaeceba12e48b1240f0e6cf2a14

Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.dsc
    Size/MD5 checksum:     1332 f4dfc057bd2a48ba453816e04f34b7df
  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5.orig.tar.gz
    Size/MD5 checksum:  2103619 c22da91c913a02305fd8a1a2298f75c9
  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.diff.gz
    Size/MD5 checksum:   228640 87e8934e0efe7f374b21e0f8fb15474f

Architecture independent packages:

  http://security.debian.org/pool/updates/main/g/git-core/gitweb_1.5.6.5-3+lenny3_all.deb
    Size/MD5 checksum:   268052 976f1bdd1a003aa01360235d506a68b6
  http://security.debian.org/pool/updates/main/g/git-core/git-daemon-run_1.5.6.5-3+lenny3_all.deb
    Size/MD5 checksum:   217816 a0719a52047880856fc560fbdd54311e
  http://security.debian.org/pool/updates/main/g/git-core/git-arch_1.5.6.5-3+lenny3_all.deb
    Size/MD5 checksum:   231042 a313316163e3db501357d834a1db7b90
  http://security.debian.org/pool/updates/main/g/git-core/git-cvs_1.5.6.5-3+lenny3_all.deb
    Size/MD5 checksum:   267244 0b91300ac7fee3068cd7767f8998a6a6
  http://security.debian.org/pool/updates/main/g/git-core/gitk_1.5.6.5-3+lenny3_all.deb
    Size/MD5 checksum:   298644 843b4c601e157df5f1ea559fe22e7a72
  http://security.debian.org/pool/updates/main/g/git-core/git-gui_1.5.6.5-3+lenny3_all.deb
    Size/MD5 checksum:   401594 d6737e683c17e09a3ecf7e9149af5de4
  http://security.debian.org/pool/updates/main/g/git-core/git-svn_1.5.6.5-3+lenny3_all.deb
    Size/MD5 checksum:   268286 1582d20b0024de9879e3f289129106d8
  http://security.debian.org/pool/updates/main/g/git-core/git-doc_1.5.6.5-3+lenny3_all.deb
    Size/MD5 checksum:  1076836 1ec7e1d1d2539ed4277c35bef096ae8b
  http://security.debian.org/pool/updates/main/g/git-core/git-email_1.5.6.5-3+lenny3_all.deb
    Size/MD5 checksum:   229326 aaf22d02fe5ac00a424be096dd8c1f80

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3_alpha.deb
    Size/MD5 checksum:  3808760 24030074496a4a25e448baf21aae4450

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3_amd64.deb
    Size/MD5 checksum:  3419522 190a16cd10d5591706e79d15831d6bfa

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3_arm.deb
    Size/MD5 checksum:  3045458 8bebf2cf789fcba33a1d0dfc8d259f6b

armel architecture (ARM EABI)

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3_armel.deb
    Size/MD5 checksum:  3068324 11e7a4ad3c4cd6c91b58d79536fdc282

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3_hppa.deb
    Size/MD5 checksum:  3162798 fb850a0f8b458cc8ef68b7a98c25d269

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3_i386.deb
    Size/MD5 checksum:  3139856 a19a17b97f8028298fe0bf0cc77fa139

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3_ia64.deb
    Size/MD5 checksum:  4759214 30d6cc0cd9c19adc03e84ea6f4e0fa1d

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3_mips.deb
    Size/MD5 checksum:  3409214 7a4aa4251c5e8b9ece35b76fec637e68

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3_mipsel.deb
    Size/MD5 checksum:  3420712 1218f69d04d4b19bd06dbc8878aef769

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3_powerpc.deb
    Size/MD5 checksum:  3473328 4fadd92d0f8554f29acb67e641cd355a

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3_s390.deb
    Size/MD5 checksum:  3411332 0daeff8bd1b44a86c16d46572d51a43f

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3_sparc.deb
    Size/MD5 checksum:  3069038 3ba2810657f07949ac284274f1356973


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJLZYYzAAoJECIIoQCMVaAcd3sH/0Rcb0NuNO+1S3qGePhBSdDw
NDqdhvbiwEBfT6coV5K18XUMhvyjglFmkP370C1YW8s6oxJBUpQhCPGbPwRLfAS0
tZKFim6KtmvLe4CDLxyDeOnfxwoLpLLF1VgSoVEqp1//2ApFSFqd6olNzJ0kW2Oi
Yd3206z3P4/DhFqxLkUfjQsGAxuN0vSGRCCgd1DbUSP7rzuHZzOzjscRyVx7064a
nbXspHd6ApaLYKCkTrT7t2XdjFvvYQmF8XY9HxvADK4N+nFm1j/DAd9DAX7ckgg0
6CmgRKxo5gruGqkYg79Bekrr5cN7GVh6TGYZVFr3dzQ/WGHFk0CAaO3Twyn42Io=
=z1sV
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ