Date: Tue, 20 Jan 2009 09:02:31 +0100 From: Tomas Hoger <thoger@...hat.com> To: oss-security@...ts.openwall.com Cc: fw@...eb.enyo.de, coley@...us.mitre.org Subject: Re: CVE request -- git On Mon, 19 Jan 2009 21:57:03 +0100 Florian Weimer <fw@...eb.enyo.de> wrote: > Nerver mind, Novell used CVE-2008-5517 for this. No, they have not. They fixed both -5516 (git_search) and -5517 (git_snapshot and git_object) issues using quote_command() (in their git-220.127.116.11-24.4.src.rpm). No idea why only one of the CVEs was mentioned in the security report... They don't seem to include any patch for diff.external issue, or claim to have fixed it. So -5517 is now really used to refer to two different issues... > (the CVE description is somewhat misleading, I think): With little further details in SuSE security report, I think the description is quite appropriate - unspecified remote hole related to shell metacharacters. Adding the two repo.or.cz links was most likely a guess, not a good one though. Mitre was notified about this inconsistency in the -5517 description and references. -- Tomas Hoger / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ