Hi, please have git-core version 1:1.5.6.5-2 migrate to lenny, it
contains a security fix.
git-core (1:1.5.6.5-2) unstable; urgency=high
* debian/diff/0005-gitweb-do-not-run-git-diff-that-is-Porcelain.diff:
new; fix possible gitweb vulnerability: calling "git diff": Jakub
says that legacy-style URI to view two blob differences are never
generated since 1.4.3. This codepath runs "git diff" Porcelain from
the gitweb, which is a no-no. It can trigger diff.external command
that is specified in the configuration file of the repository being
viewed.
Regards, Gerrit.
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
