Bug#532935: [SA35437] git-daemon Parameter Parsing Infinite Loop Denial of Service
Hi, * Nico Golde n...@debian.org [2009-07-22 00:44]: There is currently a build failure in the test suite on FTBFS that's why we s/on FTBFS/on i386 for lenny/ Sent the build logs to Sebastian. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgplR5sWHITkI.pgp Description: PGP signature
Bug#532935: [SA35437] git-daemon Parameter Parsing Infinite Loop Denial of Service
Hi, On Thu, Jun 25, 2009 at 08:53:20AM +, Gerrit Pape wrote: On Sat, Jun 13, 2009 at 01:24:29AM +0200, Giuseppe Iuculano wrote: The following SA (Secunia Advisory) id was published for git: SA35437[1]: Thanks Giuseppe. Hi t...@security, I prepared packages for lenny and etch, and put them along with a debdiff here http://niequai.smarden.org/ruGho2e/ Did anything ever happen to those packages? I was unable to find any further traces of them and the security tracker [1] still marks Etch and Lenny as being vulnerable. Please note that I did not double-check that, though. TIA, Sebastian [1] http://security-tracker.debian.net/tracker/CVE-2009-2108 -- Sebastian tokkee Harl +++ GnuPG-ID: 0x8501C7FC +++ http://tokkee.org/ Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin signature.asc Description: Digital signature
Bug#532935: [SA35437] git-daemon Parameter Parsing Infinite Loop Denial of Service
Hi, * Sebastian Harl s...@tokkee.org [2009-07-21 23:53]: On Thu, Jun 25, 2009 at 08:53:20AM +, Gerrit Pape wrote: On Sat, Jun 13, 2009 at 01:24:29AM +0200, Giuseppe Iuculano wrote: The following SA (Secunia Advisory) id was published for git: SA35437[1]: Thanks Giuseppe. Hi t...@security, I prepared packages for lenny and etch, and put them along with a debdiff here http://niequai.smarden.org/ruGho2e/ Did anything ever happen to those packages? I was unable to find any further traces of them and the security tracker [1] still marks Etch and Lenny as being vulnerable. Please note that I did not double-check that, though. There is currently a build failure in the test suite on FTBFS that's why we are lacking updates and unfortunately Gerrit is not available at the moment (see -private) so it is hard to track the reason. Maybe we'll have more luck on fixing this during the debconf. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgpFvXLjhTQcB.pgp Description: PGP signature
Bug#532935: [SA35437] git-daemon Parameter Parsing Infinite Loop Denial of Service
On Sat, Jun 13, 2009 at 01:24:29AM +0200, Giuseppe Iuculano wrote: The following SA (Secunia Advisory) id was published for git: SA35437[1]: Thanks Giuseppe. Hi t...@security, I prepared packages for lenny and etch, and put them along with a debdiff here http://niequai.smarden.org/ruGho2e/ git-core v1.6.3.3, fixing the DoS in sid, will be uploaded tomorrow. Regards, Gerrit. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#532935: [SA35437] git-daemon Parameter Parsing Infinite Loop Denial of Service
Package: git-core Version: 1:1.6.3.1-1 Severity: grave Tags: security patch -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, The following SA (Secunia Advisory) id was published for git: SA35437[1]: Description: A vulnerability has been reported in Git, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an infinite loop when parsing certain additional request parameters. This can be exploited to cause a high CPU load by sending specially crafted requests to an affected git-daemon. The vulnerability is reported in versions 1.4.4.5 through 1.6.3.2. Other versions may also be affected. Solution: Fixed in the Git repository.[2] Provided and/or discovered by: Shawn O. Pearce If you fix the vulnerability please also make sure to include the CVE id (if will be available) in the changelog entry. For further information see: [1] http://secunia.com/advisories/35437/ [2] http://git.kernel.org/?p=git/git.git;a=commitdiff;h=73bb33a9 https://www.redhat.com/archives/fedora-security-list/2009-June/msg0.html Cheers, Giuseppe. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkoy46kACgkQNxpp46476ao5WACfVbG5mv0Ql4FGFwUvekX07nhH uEgAn2tYZoHfAwSh2TKRjkZefSKwNF4m =qMjv -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org