Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 15 Jan 2009 20:54:16 +0100
From: Florian Weimer <fw@...eb.enyo.de>
To: oss-security@...ts.openwall.com
Cc: coley@...us.mitre.org
Subject: CVE request -- git

Hi Steve,

could you please assign a CVE for this bug:

| Current gitweb has a possible local privilege escalation bug that allows a
| malicious repository owner to run a command of his choice by specifying
| diff.external configuration variable in his repository and running a
| crafted gitweb query.
|
| [...] Maintenance release v1.6.0.6, v1.5.6.6, v1.5.5.6 and v1.5.4.7
| are already available at k.org (see the announcement for v1.6.0.6 I
| sent out a few minutes ago), and the master branch and others pushed
| out tonight have the same fix. [...]

<http://marc.info/?l=git&m=122975564100860&w=2>

It's from 2008, so maybe it should get a 2008 number.

Thanks,
Florian

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.