Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 5 Oct 2015 20:56:47 -0700
From: Seth Arnold <>
Subject: CVE Request: git

Hello MITRE, all,

The git project announced v2.6.1
and included the following text:

	 * Some protocols (like git-remote-ext) can execute arbitrary code
	   found in the URL. The URLs that submodules use may come
	   from arbitrary sources (e.g., .gitmodules files in a remote
	   repository), and can hurt those who blindly enable recursive
	   fetch. Restrict the allowed protocols to well known and
	   safe ones.

The following commits appear to implement the restrictions:

I do not know if this is exhaustive.

The announcement also mentions some int-based overflows but does not
describe any situations that would allow crossing privilege boundaries.

Please assign CVEs as appropriate.


Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ