Bug#818318: git: CVE-2016-2324 and CVE-2016-2315 (currently unpublished) server and client RCE

2016-03-20 Thread Jonathan Nieder
On Thu, Mar 17, 2016 at 12:37:27AM +, Ben Hutchings wrote: > On Wed, 2016-03-16 at 17:16 -0700, Jonathan Nieder wrote: >> Ben Hutchings wrote: >>> I intend to NMU git to fix these bugs in unstable, as they make most of >>> my development activity unsafe. >>> >>> git maintainers, please let me

Processed: Re: Bug#818318: git: CVE-2016-2324 and CVE-2016-2315 (currently unpublished) server and client RCE

2016-03-19 Thread Debian Bug Tracking System
Processing control commands: > retitle -1 git: CVE-2016-2324 and CVE-2016-2315 (currently unpublished) > server and client RCE Bug #818318 [git] git: CVE-2016-2324 and CVE-2016-2315 (currently unpublished) server and client RCE, fixed in 2.7.3 Changed Bug title to 'git: CVE-2016-2324 a

Bug#818318: git: CVE-2016-2324 and CVE-2016-2315 (currently unpublished) server and client RCE

2016-03-19 Thread Jonathan Nieder
Ben Hutchings wrote: > I intend to NMU git to fix these bugs in unstable, as they make most of > my development activity unsafe. > > git maintainers, please let me know if you're already preparing an > update. I'm already preparing an update. Jonathan

Bug#818318: git: CVE-2016-2324 and CVE-2016-2315 (currently unpublished) server and client RCE

2016-03-19 Thread Ben Hutchings
On Wed, 2016-03-16 at 17:16 -0700, Jonathan Nieder wrote: > Ben Hutchings wrote: > > > > > I intend to NMU git to fix these bugs in unstable, as they make most of > > my development activity unsafe. > > > > git maintainers, please let me know if you're already preparing an > > update. > I'm

Bug#818318: git: CVE-2016-2324 and CVE-2016-2315 (currently unpublished) server and client RCE, fixed in 2.7.1

2016-03-19 Thread Salvatore Bonaccorso
Hi all, Want to try to summarize: CVE-2016-2315, fixed by https://github.com/git/git/commit/34fa79a6cde56d6d428ab0d3160cb094ebad3305 (v2.7.0-rc0). Then there is CVE-2016-2324. AFAICT, this is fixed by the path_name removal, in

Bug#818318: git: CVE-2016-2324 and CVE-2016-2315 (currently unpublished) server and client RCE

2016-03-19 Thread Salvatore Bonaccorso
Control: retitle -1 git: CVE-2016-2324 and CVE-2016-2315 (currently unpublished) server and client RCE Hi, On Wed, Mar 16, 2016 at 12:22:59PM +0100, Salvatore Bonaccorso wrote: > Then there is CVE-2016-2324. AFAICT, this is fixed by the path_name > removal, in >

Bug#818318: git: CVE-2016-2324 and CVE-2016-2315 (currently unpublished) server and client RCE

2016-03-19 Thread Ben Hutchings
I intend to NMU git to fix these bugs in unstable, as they make most of my development activity unsafe. git maintainers, please let me know if you're already preparing an update. Ben. -- Ben Hutchings If you seem to know what you are doing, you'll be given more to do. signature.asc

Bug#818318: git: CVE-2016-2324 and CVE-2016-2315 (currently unpublished) server and client RCE, fixed in 2.7.1

2016-03-15 Thread GCS
On Tue, Mar 15, 2016 at 10:13 PM, Ximin Luo wrote: > http://seclists.org/oss-sec/2016/q1/645 > > Please upload 2.7.1 ASAP. Just for the record, it should be 2.7.3 due to an integer overflow fix[1] (no CVE). On the other hand, CVE-2016-2315 is already fixed in Stretch and

Bug#818318: git: CVE-2016-2324 and CVE-2016-2315 (currently unpublished) server and client RCE, fixed in 2.7.1

2016-03-15 Thread Ximin Luo
Package: git Version: 1:2.7.0-1 Severity: grave Tags: upstream security Justification: user security hole Dear Maintainer, This was just posted: http://seclists.org/oss-sec/2016/q1/645 Please upload 2.7.1 ASAP. -- System Information: Debian Release: stretch/sid APT prefers testing APT