DSA-3984-1 git -- git
|ID: oval:org.secpod.oval:def:603120||Date: (C)2017-10-05 (M)2017-11-18|
|Class: PATCH||Family: unix|
joernchen discovered that the git-cvsserver subcommand of Git, a distributed version control system, suffers from a shell command injection vulnerability due to unsafe use of the Perl backtick operator. The git-cvsserver subcommand is reachable from the git-shell subcommand even if CVS support has not been configured . In addition to fixing the actual bug, this update removes the cvsserver subcommand from git-shell by default. Refer to the updated documentation for instructions how to reenable in case this CVS functionality is still needed.