[Bug 1774061] Re: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules
** Changed in: git (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1774061 Title: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1774061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1774061] Re: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules
Jan: It’s not special. As a rule, stable releases almost never get version bumps outside of a handful of prominent packages that can’t be supported securely any other way (e.g. Firefox). Instead, individual security patches are backported. https://wiki.ubuntu.com/StableReleaseUpdates git 2.7.4-0ubuntu1.4 in xenial-security has the security fix. If you want 2.17.1 in xenial, use the PPA (https://launchpad.net/~git- core/+archive/ubuntu/ppa). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1774061 Title: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1774061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1774061] Re: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules
Is there a special reason why git does not get updated to 2.17.1 for xenial? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1774061 Title: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1774061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1774061] Re: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules
** Changed in: git (Ubuntu) Status: Fix Released => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1774061 Title: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1774061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1774061] Re: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules
2.17.1-1ubuntu1 hasn’t migrated from cosmic-proposed, so this should still be Fix Committed, not Fix Released. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1774061 Title: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1774061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1774061] Re: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules
This bug was fixed in the package git - 1:2.14.1-1ubuntu4.1 --- git (1:2.14.1-1ubuntu4.1) artful-security; urgency=medium * SECURITY UPDATE: arbitrary code execution via submodule names in .gitsubmodules. - 0001-submodule-config-verify-submodule-names-as-paths.patch - 012-fsck-simplify-.git-check.patch - 013-fsck-actually-fsck-blob-data.patch - 014-fsck-detect-gitmodules-files.patch - 015-fsck-check-.gitmodules-content.patch - 016-fsck-call-fsck_finish-after-fscking-objects.patch - 017-unpack-objects-call-fsck_finish-after-fscking-object.patch - 018-index-pack-check-.gitmodules-files-with-strict.patch - CVE-2018-11235 (LP: #1774061) * SECURITY UPDATE: out-of-bounds memory access when sanity-checking pathnames on NTFS - 0002-is_ntfs_dotgit-use-a-size_t-for-traversing-string.patch - CVE-2018-11233 * Do not allow .gitmodules to be a symlink: - 003-is_hfs_dotgit-match-other-.git-files.patch - 004-is_ntfs_dotgit-match-other-.git-files.patch - 005-is_-hfs-ntfs-_dotgitmodules-add-tests.patch - 006-skip_prefix-add-case-insensitive-variant.patch - 007-verify_path-drop-clever-fallthrough.patch - 008-verify_dotfile-mention-case-insensitivity-in-comment.patch - 009-update-index-stat-updated-files-earlier.patch - 010-verify_path-disallow-symlinks-in-.gitmodules.patch - 011-index-pack-make-fsck-error-message-more-specific.patch - 019-fsck-complain-when-.gitmodules-is-a-symlink.patch * debian/rules: ensure added tests are executable. -- Steve Beattie Thu, 31 May 2018 22:52:33 -0700 ** Changed in: git (Ubuntu) Status: Fix Committed => Fix Released ** Changed in: git (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1774061 Title: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1774061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1774061] Re: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules
This bug was fixed in the package git - 1:1.9.1-1ubuntu0.8 --- git (1:1.9.1-1ubuntu0.8) trusty-security; urgency=medium * SECURITY UPDATE: arbitrary code execution via submodule names in .gitsubmodules. - 0005-submodule-config-verify-submodule-names-as-paths.patch - 0018-fsck-simplify-.git-check.patch - 0020-fsck-actually-fsck-blob-data.patch - 0025-fsck-detect-gitmodules-files.patch - 0026-fsck-check-.gitmodules-content.patch - 0027-fsck-call-fsck_finish-after-fscking-objects.patch - 0028-unpack-objects-call-fsck_finish-after-fscking-objects.patch - 0029-index-pack-check-.gitmodules-files-with-strict.patch - CVE-2018-11235 (LP: #1774061) * SECURITY UPDATE: out-of-bounds memory access when sanity-checking pathnames on NTFS - 0006-is_ntfs_dotgit-use-a-size_t-for-traversing-string.patch - CVE-2018-11233 * Do not allow .gitmodules to be a symlink: * debian/rules: ensure added tests are executable. - 0001-apply-reject-input-that-touches-outside-the-working-a.patch - 0002-apply-do-not-read-from-the-filesystem-under-index.patch - 0003-apply-do-not-read-from-beyond-a-symbolic-link.patch - 0004-apply-do-not-touch-a-file-beyond-a-symbolic-link.patch - 0007-is_hfs_dotgit-match-other-.git-files.patch - 0008-is_ntfs_dotgit-match-other-.git-files.patch - 0009-skip_prefix-add-case-insensitive-variant.patch - 0010-verify_path-drop-clever-fallthrough.patch - 0011-verify_dotfile-mention-case-insensitivity-in-comment.patch - 0012-update-index-stat-updated-files-earlier.patch - 0013-verify_path-disallow-symlinks-in-.gitmodules.patch - 0014-sha1_file-add-read_loose_object-function.patch - 0015-fsck-drop-inode-sorting-code.patch - 0016-fsck-parse-loose-object-paths-directly.patch - 0017-index-pack-make-fsck-error-message-more-specific.patch - 0019-fsck_object-allow-passing-object-data-separately-from.patch - 0021-add-a-hashtable-implementation-that-supports-O-1-rem.patch - 0022-hashmap.h-use-unsigned-int-for-hash-codes-everywhere.patch - 0023-hashmap-factor-out-getting-a-hash-code-from-a-SHA1.patch - 0024-hashmap-add-simplified-hashmap_get_from_hash-API.patch - 0030-fsck-complain-when-.gitmodules-is-a-symlink.patch * move patches from debian/diff to quilt debian/patch/, to avoid conflicts and overlooking already added patches * Thanks to Jonathan Nieder of Debian for backporting to 2.1.x. -- Steve Beattie Mon, 04 Jun 2018 10:56:07 -0700 ** Changed in: git (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1774061 Title: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1774061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1774061] Re: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules
This bug was fixed in the package git - 1:2.7.4-0ubuntu1.4 --- git (1:2.7.4-0ubuntu1.4) xenial-security; urgency=medium * SECURITY UPDATE: arbitrary code execution via submodule names in .gitsubmodules. - 0014-fsck-simplify-.git-check.patch - 0015-fsck-actually-fsck-blob-data.patch - 0016-fsck-detect-gitmodules-files.patch - 0017-fsck-check-.gitmodules-content.patch - 0018-fsck-call-fsck_finish-after-fscking-objects.patch - 0019-unpack-objects-call-fsck_finish-after-fscking-object.patch - 0020-index-pack-check-.gitmodules-files-with-strict.patch - CVE-2018-11235 (LP: #1774061) * SECURITY UPDATE: out-of-bounds memory access when sanity-checking pathnames on NTFS - 0002-is_ntfs_dotgit-use-a-size_t-for-traversing-string.patch - CVE-2018-11233 * Do not allow .gitmodules to be a symlink: - 0003-is_hfs_dotgit-match-other-.git-files.patch - 0004-is_ntfs_dotgit-match-other-.git-files.patch - 0005-is_-hfs-ntfs-_dotgitmodules-add-tests.patch - 0006-skip_prefix-add-case-insensitive-variant.patch - 0007-verify_path-drop-clever-fallthrough.patch - 0008-verify_dotfile-mention-case-insensitivity-in-comment.patch - 0009-update-index-stat-updated-files-earlier.patch - 0010-verify_path-disallow-symlinks-in-.gitmodules.patch - 0011-sha1_file-add-read_loose_object-function.patch - 0012-fsck-parse-loose-object-paths-directly.patch - 0013-index-pack-make-fsck-error-message-more-specific.patch - 0021-fsck-complain-when-.gitmodules-is-a-symlink.patch * debian/rules: ensure added tests are executable. -- Steve Beattie Fri, 01 Jun 2018 23:44:15 -0700 ** Changed in: git (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1774061 Title: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1774061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1774061] Re: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules
This bug was fixed in the package git - 1:2.17.1-1ubuntu0.1 --- git (1:2.17.1-1ubuntu0.1) bionic-security; urgency=low * SECURITY UPDATE: arbitrary code execution via submodule names in .gitsubmodules. - CVE-2018-11235 * SECURITY UPDATE: out-of-bounds memory when sanity-checking pathnames on NTFS - CVE-2018-11233 * Merge from Debian (LP: #1774061). Remaining changes: - debian/control: build against pcre v3 only - debian/rules: s390x libpcre3 library has JIT disabled, set NO_LIBPCRE1_JIT on that arch to stop the build from failing. git (1:2.17.1-1) unstable; urgency=high * new upstream point release to fix CVE-2018-11235, arbitary code execution via submodule names in .gitmodules (see RelNotes/2.17.1.txt). -- Steve Beattie Thu, 31 May 2018 10:50:28 -0700 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1774061 Title: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1774061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1774061] Re: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules
OK found it: http://launchpadlibrarian.net/372600366/git_1%3A2.17.0-1ubuntu1_1%3A2.17.1-1ubuntu1.diff.gz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1774061 Title: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1774061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1774061] Re: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules
Is there a git diff available for the change? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1774061 Title: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1774061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1774061] Re: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules
As Seth said, I have now made packages for trusty through bionic available in the Ubuntu Security Proposed PPA: https://launchpad.net /~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages . They are awaiting testing, so please do not use them on data you care about; however, testing feedback from people would be appreciated. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1774061 Title: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1774061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1774061] Re: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules
On Sat, Jun 02, 2018 at 01:22:36AM -, Anders Kaseorg wrote: > It looks like the fix is currently in cosmic-proposed. > https://launchpad.net/ubuntu/+source/git/1:2.17.1-1ubuntu1 The -proposed pocket in the developement release is not intended for human consumption: anything and everything gets pushed through that, and is released to the devel release when autopackage tests pass. The security updates are being prepared in the Ubuntu Security Proposed PPA: https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages I do not know the state of these packages, so please use them at your own risk, but should you choose to use these packages, feedback on your experience here may be helpful to us. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1774061 Title: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1774061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1774061] Re: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules
It looks like the fix is currently in cosmic-proposed. https://launchpad.net/ubuntu/+source/git/1:2.17.1-1ubuntu1 ** Changed in: git (Ubuntu) Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1774061 Title: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1774061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1774061] Re: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules
There are CI systems for which the workaround can't be used. Do you have a patch timeline? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1774061 Title: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1774061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1774061] Re: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules
Um, why hasn't Ubuntu released fixes yet? Ubuntu is usually much better about getting security fixes out quickly. What's the hold-up here? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1774061 Title: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1774061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1774061] Re: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules
Workaround: add stable repo from git-scm to get a fixed version $ add-apt-repository ppa:git-core/ppa $ apt update $ apt install git (from https://git-scm.com/download/linux ) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1774061 Title: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1774061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1774061] Re: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules
The Ubuntu repo still provides the outdated git version 2.7.4. This could be checked by running: $ sudo apt-get update $ sudo apt-cache policy git This should be fixed with high priority. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11233 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1774061 Title: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1774061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1774061] Re: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules
Added CVE-2018-11233 because git before 2.13.7 is affctected by that bug as well. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1774061 Title: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1774061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1774061] Re: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules
DSA-4212-1 https://www.debian.org/security/2018/dsa-4212 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1774061 Title: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1774061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1774061] Re: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11235 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1774061 Title: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1774061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1774061] Re: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules
** Summary changed: - git: CVE 2018-11235 arbitary code execution via submodule names in .gitmodules + git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1774061 Title: git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1774061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1774061] Re: git: CVE 2018-11235 arbitary code execution via submodule names in .gitmodules
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: git (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1774061 Title: git: CVE 2018-11235 arbitary code execution via submodule names in .gitmodules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1774061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs