Debian Bug report logs - #876854
git: CVE-2017-14867: cvsserver OS command injection

version graph

Package: src:git; Maintainer for src:git is Jonathan Nieder <jrnieder@gmail.com>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 26 Sep 2017 11:21:04 UTC

Severity: grave

Tags: fixed-upstream, security, upstream

Found in version git/1:2.1.4-1

Fixed in versions git/1:2.14.2-1, git/1:2.1.4-2.1+deb8u5, git/1:2.11.0-3+deb9u2

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Gerrit Pape <pape@smarden.org>:
Bug#876854; Package src:git. (Tue, 26 Sep 2017 11:21:07 GMT) (full text, mbox, link).


Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Gerrit Pape <pape@smarden.org>. (Tue, 26 Sep 2017 11:21:07 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: git: Git cvsserver OS Command Injection
Date: Tue, 26 Sep 2017 13:19:30 +0200
Source: git
Version: 1:2.1.4-1
Severity: grave
Tags: security upstream
Justification: user security hole
Control: fixed -1 1:2.14.2-1
Control: fixed -1 1:2.11.0-3+deb9u2
Control: fixed -1  1:2.1.4-2.1+deb8u5

There is not CVE for tracking for this/those issues, so filling a
respective bug in the Debian BTS. It is already fixed in unstable.

http://www.openwall.com/lists/oss-security/2017/09/26/9

Regards,
Salvatore



Marked as fixed in versions git/1:2.14.2-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Tue, 26 Sep 2017 11:21:07 GMT) (full text, mbox, link).


Marked as fixed in versions git/1:2.11.0-3+deb9u2. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Tue, 26 Sep 2017 11:21:08 GMT) (full text, mbox, link).


Marked as fixed in versions git/1:2.1.4-2.1+deb8u5. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Tue, 26 Sep 2017 11:21:08 GMT) (full text, mbox, link).


Marked Bug as done Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 26 Sep 2017 14:00:03 GMT) (full text, mbox, link).


Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 26 Sep 2017 14:00:04 GMT) (full text, mbox, link).


Message sent on to Salvatore Bonaccorso <carnil@debian.org>:
Bug#876854. (Tue, 26 Sep 2017 14:00:05 GMT) (full text, mbox, link).


Message #18 received at 876854-submitter@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: control@bugs.debian.org
Cc: 876854-submitter@bugs.debian.org
Subject: closing 876854
Date: Tue, 26 Sep 2017 15:56:40 +0200
close 876854 1:2.14.2-1
thanks




Added tag(s) fixed-upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 27 Sep 2017 05:15:09 GMT) (full text, mbox, link).


Changed Bug title to 'git: CVE-2017-14867: cvsserver OS command injection' from 'git: Git cvsserver OS Command Injection'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 04 Oct 2017 05:03:04 GMT) (full text, mbox, link).


Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 01 Nov 2017 07:28:16 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 22:35:32 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.