DSA-3984-1 git -- gitID: oval:org.secpod.oval:def:603120 | Date: (C)2017-10-05 (M)2023-12-20 |
Class: PATCH | Family: unix |
joernchen discovered that the git-cvsserver subcommand of Git, a distributed version control system, suffers from a shell command injection vulnerability due to unsafe use of the Perl backtick operator. The git-cvsserver subcommand is reachable from the git-shell subcommand even if CVS support has not been configured . In addition to fixing the actual bug, this update removes the cvsserver subcommand from git-shell by default. Refer to the updated documentation for instructions how to reenable in case this CVS functionality is still needed.
Platform: |
Debian 8.x |
Debian 9.x |