[Bug 1774061] Re: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules
Seth Arnold
1774061 at bugs.launchpad.net
Sat Jun 2 02:04:00 UTC 2018
On Sat, Jun 02, 2018 at 01:22:36AM -0000, Anders Kaseorg wrote:
> It looks like the fix is currently in cosmic-proposed.
> https://launchpad.net/ubuntu/+source/git/1:2.17.1-1ubuntu1
The -proposed pocket in the developement release is not intended for
human consumption: anything and everything gets pushed through that,
and is released to the devel release when autopackage tests pass.
The security updates are being prepared in the Ubuntu Security Proposed
PPA: https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages
I do not know the state of these packages, so please use them at your
own risk, but should you choose to use these packages, feedback on your
experience here may be helpful to us.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to git in Ubuntu.
https://bugs.launchpad.net/bugs/1774061
Title:
git: CVE-2018-11235 arbitary code execution via submodule names in
.gitmodules
Status in git package in Ubuntu:
Fix Committed
Bug description:
Git v2.17.1, v2.13.7, v2.14.4, v2.15.2 and v2.16.4 contain a fix for CVE 2018-11235 announced here:
https://public-inbox.org/git/xmqqy3g2flb6.fsf@gitster-ct.c.googlers.com/
Debian has fixed packages here: https://security-
tracker.debian.org/tracker/CVE-2018-11235
I could not find the fixed packages for Ubuntu, the Ubuntu link on the
above debian tracker results in a 404, and there is no newer package
available in the repository for 18.04 LTS.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/git/+bug/1774061/+subscriptions
More information about the foundations-bugs
mailing list