lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1OzwPK-0003hA-5m@chopin.debian.org>
Date: Sun, 26 Sep 2010 18:57:06 +0000
From: Stefan Fritsch <sf@...ian.org>
To: debian-security-announce@...ts.debian.org
Subject: [SECURITY] [DSA-2114-1] New git-core packages fix
	regression

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-2114-1                  security@...ian.org
http://www.debian.org/security/                           Stefan Fritsch
September 26, 2010                    http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : git-core
Vulnerability  : buffer overflow
Problem type   : local
Debian-specific: no
CVE Id(s)      : CVE-2010-2542
Debian bug     : 595728 590026

The Debian stable point release 5.0.6 included updated packages of
the Git revision control system in order to fix a security issue.
Unfortunately, the update introduced a regression which could make
it impossible to clone or create git repositories.  This upgrade
fixes this regression, which is tracked as Debian bug #595728.

The original security issue allowed an attacker to execute arbitrary
code if he could trick a local user to execute a git command in a
crafted working directory (CVE-2010-2542).

For the stable distribution (lenny), this problem has been fixed in
version 1.5.6.5-3+lenny3.2.

The packages for the hppa architecture are not included in this
advisory.  However, the hppa architecture is not known to be affected
by the regression.

For the testing distribution (squeeze) and the unstable distribution
(sid), the security issue has been fixed in version 1.7.1-1.1. These
distributions were not affected by the regression.

We recommend that you upgrade your git-core packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 (stable) alias lenny
- -----------------------------------------

Stable updates are available for alpha, amd64, arm, armel, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2.dsc
    Size/MD5 checksum:     1332 1ca802be6d1039154fea0f867fc1c3cf
  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5.orig.tar.gz
    Size/MD5 checksum:  2103619 c22da91c913a02305fd8a1a2298f75c9
  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2.diff.gz
    Size/MD5 checksum:   228860 778ce77061180906a2aae9f22c606e93

Architecture independent packages:

  http://security.debian.org/pool/updates/main/g/git-core/git-cvs_1.5.6.5-3+lenny3.2_all.deb
    Size/MD5 checksum:   267472 3c95d2a6bd41b0275c7f8e95ef12efa4
  http://security.debian.org/pool/updates/main/g/git-core/git-gui_1.5.6.5-3+lenny3.2_all.deb
    Size/MD5 checksum:   402182 634c011ec7a8ae782b0bff0be2134078
  http://security.debian.org/pool/updates/main/g/git-core/git-arch_1.5.6.5-3+lenny3.2_all.deb
    Size/MD5 checksum:   231542 a53d6f8319c8dd5182cdc224513d5bfd
  http://security.debian.org/pool/updates/main/g/git-core/git-daemon-run_1.5.6.5-3+lenny3.2_all.deb
    Size/MD5 checksum:   218012 3b291893958b61fbe4825e7774ea2e9b
  http://security.debian.org/pool/updates/main/g/git-core/gitweb_1.5.6.5-3+lenny3.2_all.deb
    Size/MD5 checksum:   269864 2c9d96e08c55e34a83270cc34ce38463
  http://security.debian.org/pool/updates/main/g/git-core/git-svn_1.5.6.5-3+lenny3.2_all.deb
    Size/MD5 checksum:   268424 ad015248dfc153c22f4a95927c288912
  http://security.debian.org/pool/updates/main/g/git-core/git-doc_1.5.6.5-3+lenny3.2_all.deb
    Size/MD5 checksum:  1249010 a4986335fde6824c01bb1dec115c0314
  http://security.debian.org/pool/updates/main/g/git-core/git-email_1.5.6.5-3+lenny3.2_all.deb
    Size/MD5 checksum:   229804 e81867cadc7426d6361ac1dbbccce1c7
  http://security.debian.org/pool/updates/main/g/git-core/gitk_1.5.6.5-3+lenny3.2_all.deb
    Size/MD5 checksum:   301022 dd567de6cd446f8362127f5f5876dae2

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_alpha.deb
    Size/MD5 checksum:  3809306 2910ff0e823c7b56eee4ceb51e6be806

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_amd64.deb
    Size/MD5 checksum:  3419816 ba89829009b57237c5a0630eb01c01c3

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_arm.deb
    Size/MD5 checksum:  3042360 5be0e0673a32062ad9ec56c0feee2a69

armel architecture (ARM EABI)

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_armel.deb
    Size/MD5 checksum:  3071030 168f3edcc71842c4a09b5d656a639be0

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_i386.deb
    Size/MD5 checksum:  3140010 429887ce79db588352636d24bcd42df7

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_ia64.deb
    Size/MD5 checksum:  4760744 4cd6c9386efdd3d684b616a2928c4fe9

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_mips.deb
    Size/MD5 checksum:  3417818 376e6c42f288898369b61b4f6203b2ae

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_mipsel.deb
    Size/MD5 checksum:  3421030 7578fae97f13c3fd21245c9be7e50503

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_powerpc.deb
    Size/MD5 checksum:  3482142 92729277795f88ca818304bcf3c6fda8

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_s390.deb
    Size/MD5 checksum:  3422802 05720c1cea472a17406fb2c0a917b4c2

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_sparc.deb
    Size/MD5 checksum:  3077076 7db8d2a588021c019561fe370baf81af


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFMn5cEbxelr8HyTqQRAgoLAKC1M6bR/VNriOulksumyribvvUBNACfZjlF
4kTh06lGitMNsey04BHdLUY=
=AofO
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ