Security update for git SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2017:1432-1 Final 1 1 2017-05-29T07:01:09Z current 2017-05-29T07:01:09Z 2017-05-29T07:01:09Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for git This update for git fixes the following issue: - CVE-2017-8386: git shell, may allow a user who comes over SSH to run an interactive pager by causing it to spawn 'git upload-pack --help' (bsc#1038395): The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sdksp4-git-13129,slestso13-git-13129 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2017/suse-su-20171432-1/ Link for SUSE-SU-2017:1432-1 https://lists.suse.com/pipermail/sle-security-updates/2017-May/002923.html E-Mail link for SUSE-SU-2017:1432-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1038395 SUSE Bug 1038395 https://www.suse.com/security/cve/CVE-2017-8386/ SUSE CVE CVE-2017-8386 page SUSE Linux Enterprise Software Development Kit 11 SP4 SUSE Studio Onsite 1.3 git-1.7.12.4-0.17.1 git-arch-1.7.12.4-0.17.1 git-core-1.7.12.4-0.17.1 git-cvs-1.7.12.4-0.17.1 git-daemon-1.7.12.4-0.17.1 git-email-1.7.12.4-0.17.1 git-gui-1.7.12.4-0.17.1 git-svn-1.7.12.4-0.17.1 git-web-1.7.12.4-0.17.1 gitk-1.7.12.4-0.17.1 git-1.7.12.4-0.17.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 git-arch-1.7.12.4-0.17.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 git-core-1.7.12.4-0.17.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 git-cvs-1.7.12.4-0.17.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 git-daemon-1.7.12.4-0.17.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 git-email-1.7.12.4-0.17.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 git-gui-1.7.12.4-0.17.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 git-svn-1.7.12.4-0.17.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 git-web-1.7.12.4-0.17.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 gitk-1.7.12.4-0.17.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 git-1.7.12.4-0.17.1 as a component of SUSE Studio Onsite 1.3 git-core-1.7.12.4-0.17.1 as a component of SUSE Studio Onsite 1.3 git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7, 2.7.x before 2.7.5, 2.8.x before 2.8.5, 2.9.x before 2.9.4, 2.10.x before 2.10.3, 2.11.x before 2.11.2, and 2.12.x before 2.12.3 might allow remote authenticated users to gain privileges via a repository name that starts with a - (dash) character. CVE-2017-8386 SUSE Linux Enterprise Software Development Kit 11 SP4:git-1.7.12.4-0.17.1 SUSE Linux Enterprise Software Development Kit 11 SP4:git-arch-1.7.12.4-0.17.1 SUSE Linux Enterprise Software Development Kit 11 SP4:git-core-1.7.12.4-0.17.1 SUSE Linux Enterprise Software Development Kit 11 SP4:git-cvs-1.7.12.4-0.17.1 SUSE Linux Enterprise Software Development Kit 11 SP4:git-daemon-1.7.12.4-0.17.1 SUSE Linux Enterprise Software Development Kit 11 SP4:git-email-1.7.12.4-0.17.1 SUSE Linux Enterprise Software Development Kit 11 SP4:git-gui-1.7.12.4-0.17.1 SUSE Linux Enterprise Software Development Kit 11 SP4:git-svn-1.7.12.4-0.17.1 SUSE Linux Enterprise Software Development Kit 11 SP4:git-web-1.7.12.4-0.17.1 SUSE Linux Enterprise Software Development Kit 11 SP4:gitk-1.7.12.4-0.17.1 SUSE Studio Onsite 1.3:git-1.7.12.4-0.17.1 SUSE Studio Onsite 1.3:git-core-1.7.12.4-0.17.1 moderate 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20171432-1/ https://www.suse.com/security/cve/CVE-2017-8386.html CVE-2017-8386 https://bugzilla.suse.com/1038395 SUSE Bug 1038395