DSA-3984-1 git -- gitID: oval:org.secpod.oval:def:70593 | Date: (C)2021-04-01 (M)2022-10-10 |
Class: PATCH | Family: unix |
joernchen discovered that the git-cvsserver subcommand of Git, a distributed version control system, suffers from a shell command injection vulnerability due to unsafe use of the Perl backtick operator. The git-cvsserver subcommand is reachable from the git-shell subcommand even if CVS support has not been configured . In addition to fixing the actual bug, this update removes the cvsserver subcommand from git-shell by default. Refer to the updated documentation for instructions how to reenable in case this CVS functionality is still needed.