[Bug 1774061] Re: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules
Anders Kaseorg
andersk at mit.edu
Wed Jun 6 06:49:44 UTC 2018
Jan: It’s not special. As a rule, stable releases almost never get
version bumps outside of a handful of prominent packages that can’t be
supported securely any other way (e.g. Firefox). Instead, individual
security patches are backported.
https://wiki.ubuntu.com/StableReleaseUpdates
git 2.7.4-0ubuntu1.4 in xenial-security has the security fix. If you
want 2.17.1 in xenial, use the PPA (https://launchpad.net/~git-
core/+archive/ubuntu/ppa).
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to git in Ubuntu.
https://bugs.launchpad.net/bugs/1774061
Title:
git: CVE-2018-11235 arbitary code execution via submodule names in
.gitmodules
Status in git package in Ubuntu:
Fix Committed
Bug description:
Git v2.17.1, v2.13.7, v2.14.4, v2.15.2 and v2.16.4 contain a fix for CVE 2018-11235 announced here:
https://public-inbox.org/git/xmqqy3g2flb6.fsf@gitster-ct.c.googlers.com/
Debian has fixed packages here: https://security-
tracker.debian.org/tracker/CVE-2018-11235
I could not find the fixed packages for Ubuntu, the Ubuntu link on the
above debian tracker results in a 404, and there is no newer package
available in the repository for 18.04 LTS.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/git/+bug/1774061/+subscriptions
More information about the foundations-bugs
mailing list