oss-sec mailing list archives
Re: CVE request -- git
From: "Steven M. Christey" <coley () linus mitre org>
Date: Thu, 22 Jan 2009 17:17:39 -0500 (EST)
On Wed, 21 Jan 2009, Tomas Hoger wrote:
On Tue, 20 Jan 2009 20:09:45 -0500 (EST) "Steven M. Christey" <coley () linus mitre org> wrote:I updated the descriptions for CVE-2008-5516 and CVE-2008-5517 based on Tomas' description.Looks like they got texts mixed up. -5516 was given to git_search issue, and -5517 to git_snapshot and git_object issues (the idea was to use lower id for the issue fixed earlier). Btw, commitdiff links are correct, only texts need swapping.
Fixed.
Can you also change "in 1.5.x" to "before 1.5.x" in both descriptions?
Done (modulo CVE style).
Wording in our BZ is probably confusing, but versions 1.5.5 and 1.5.6 are the first versions to include the fix, not the vulnerability.
Changed 1.5.5 as a non-affected version, but note this:
Same question to the rPath maintainers...Their announcement mentions version 1.5.6.6, that should have both issues fixed (and -5916). They'll probably clarify what was their "old" version.
If they're releasing 1.5.6.6, doesn't that suggest that maybe one of the issues were still present in 1.5.5? Current descriptions below. - Steve ====================================================== Name: CVE-2008-5516 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5516 Reference: BUGTRAQ:20090113 rPSA-2009-0005-1 git gitweb Reference: URL:http://www.securityfocus.com/archive/1/archive/1/500008/100/0/threaded Reference: MISC:http://repo.or.cz/w/git.git?a=commitdiff;h=c582abae Reference: MLIST:[oss-security] 20090120 Re: CVE request -- git Reference: URL:http://www.openwall.com/lists/oss-security/2009/01/20/1 Reference: MLIST:[oss-security] 20090121 Re: CVE request -- git Reference: URL:http://www.openwall.com/lists/oss-security/2009/01/21/7 Reference: CONFIRM:http://wiki.rpath.com/Advisories:rPSA-2009-0005 Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=479715 Reference: CONFIRM:https://issues.rpath.com/browse/RPL-2936 Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=512330 Reference: DEBIAN:DSA-1708 Reference: URL:http://www.debian.org/security/2009/dsa-1708 Reference: SUSE:SUSE-SR:2009:001 Reference: URL:http://lists.opensuse.org/opensuse-security-announce/2009-01/msg00002.html The web interface in git (gitweb) 1.5.x before 1.5.5 allows remote attackers to execute arbitrary commands via shell metacharacters related to git_search. ====================================================== Name: CVE-2008-5517 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5517 Reference: BUGTRAQ:20090113 rPSA-2009-0005-1 git gitweb Reference: URL:http://www.securityfocus.com/archive/1/archive/1/500008/100/0/threaded Reference: MISC:http://repo.or.cz/w/git.git?a=commitdiff;h=516381d5 Reference: MLIST:[oss-security] 20090120 Re: CVE request -- git Reference: URL:http://www.openwall.com/lists/oss-security/2009/01/20/1 Reference: MLIST:[oss-security] 20090121 Re: CVE request -- git Reference: URL:http://www.openwall.com/lists/oss-security/2009/01/21/7 Reference: CONFIRM:http://wiki.rpath.com/Advisories:rPSA-2009-0005 Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=479715 Reference: CONFIRM:https://issues.rpath.com/browse/RPL-2936 Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=512330 Reference: DEBIAN:DSA-1708 Reference: URL:http://www.debian.org/security/2009/dsa-1708 Reference: SUSE:SUSE-SR:2009:001 Reference: URL:http://lists.opensuse.org/opensuse-security-announce/2009-01/msg00002.html Reference: BID:33215 Reference: URL:http://www.securityfocus.com/bid/33215 The web interface in git (gitweb) 1.5.x before 1.5.5 allows remote attackers to execute arbitrary commands via shell metacharacters related to (1) git_snapshot and (2) git_object.
Current thread:
- CVE request -- git Florian Weimer (Jan 15)
- Re: CVE request -- git Florian Weimer (Jan 19)
- Re: CVE request -- git Tomas Hoger (Jan 20)
- Re: CVE request -- git Sebastian Krahmer (Jan 20)
- Re: CVE request -- git Tomas Hoger (Jan 20)
- Re: CVE request -- git Sebastian Krahmer (Jan 20)
- Re: CVE request -- git Tomas Hoger (Jan 20)
- Re: CVE request -- git Florian Weimer (Jan 19)
- Re: CVE request -- git Tomas Hoger (Jan 21)
- Re: CVE request -- git Steven M. Christey (Jan 22)
- Re: CVE request -- git Tomas Hoger (Jan 23)