Security update for git SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:2757-1 Final 1 1 2017-10-18T17:29:38Z current 2017-10-18T17:29:38Z 2017-10-18T17:29:38Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for git This update for git fixes the following issues: This security issue was fixed: - CVE-2017-14867: Git used unsafe Perl scripts to support subcommands such as cvsserver, which allowed attackers to execute arbitrary OS commands via shell metacharacters in a module name (bsc#1061041). This update was imported from the SUSE:SLE-12:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2017-10/msg00025.html E-Mail link for openSUSE-SU-2017:2757-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 git-2.12.3-5.14.1 git-arch-2.12.3-5.14.1 git-core-2.12.3-5.14.1 git-credential-gnome-keyring-2.12.3-5.14.1 git-cvs-2.12.3-5.14.1 git-daemon-2.12.3-5.14.1 git-doc-2.12.3-5.14.1 git-email-2.12.3-5.14.1 git-gui-2.12.3-5.14.1 git-svn-2.12.3-5.14.1 git-web-2.12.3-5.14.1 gitk-2.12.3-5.14.1 git-2.12.3-5.14.1 as a component of openSUSE Leap 42.2 git-arch-2.12.3-5.14.1 as a component of openSUSE Leap 42.2 git-core-2.12.3-5.14.1 as a component of openSUSE Leap 42.2 git-credential-gnome-keyring-2.12.3-5.14.1 as a component of openSUSE Leap 42.2 git-cvs-2.12.3-5.14.1 as a component of openSUSE Leap 42.2 git-daemon-2.12.3-5.14.1 as a component of openSUSE Leap 42.2 git-doc-2.12.3-5.14.1 as a component of openSUSE Leap 42.2 git-email-2.12.3-5.14.1 as a component of openSUSE Leap 42.2 git-gui-2.12.3-5.14.1 as a component of openSUSE Leap 42.2 git-svn-2.12.3-5.14.1 as a component of openSUSE Leap 42.2 git-web-2.12.3-5.14.1 as a component of openSUSE Leap 42.2 gitk-2.12.3-5.14.1 as a component of openSUSE Leap 42.2 Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support. CVE-2017-14867 openSUSE Leap 42.2:git-2.12.3-5.14.1 openSUSE Leap 42.2:git-arch-2.12.3-5.14.1 openSUSE Leap 42.2:git-core-2.12.3-5.14.1 openSUSE Leap 42.2:git-credential-gnome-keyring-2.12.3-5.14.1 openSUSE Leap 42.2:git-cvs-2.12.3-5.14.1 openSUSE Leap 42.2:git-daemon-2.12.3-5.14.1 openSUSE Leap 42.2:git-doc-2.12.3-5.14.1 openSUSE Leap 42.2:git-email-2.12.3-5.14.1 openSUSE Leap 42.2:git-gui-2.12.3-5.14.1 openSUSE Leap 42.2:git-svn-2.12.3-5.14.1 openSUSE Leap 42.2:git-web-2.12.3-5.14.1 openSUSE Leap 42.2:gitk-2.12.3-5.14.1 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-10/msg00025.html https://www.suse.com/security/cve/CVE-2017-14867.html CVE-2017-14867 https://bugzilla.suse.com/1060377 SUSE Bug 1060377 https://bugzilla.suse.com/1060378 SUSE Bug 1060378 https://bugzilla.suse.com/1061041 SUSE Bug 1061041