Medium: git

2015-12-1410:00:00

alas.aws.amazon.com

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.078 Low

EPSS

Percentile

94.1%

JSON

Issue Overview:

A flaw was found in the way the git-remote-ext helper processed certain URLs. If a user had Git configured to automatically clone submodules from untrusted repositories, an attacker could inject commands into the URL of a submodule, allowing them to execute arbitrary code on the user’s system.

Affected Packages:

git

Issue Correction:
Run yum update git to update your system.

New Packages:

i686:  
    git-debuginfo-2.4.3-7.42.amzn1.i686  
    git-daemon-2.4.3-7.42.amzn1.i686  
    git-svn-2.4.3-7.42.amzn1.i686  
    git-2.4.3-7.42.amzn1.i686  
  
noarch:  
    git-email-2.4.3-7.42.amzn1.noarch  
    emacs-git-2.4.3-7.42.amzn1.noarch  
    git-hg-2.4.3-7.42.amzn1.noarch  
    git-all-2.4.3-7.42.amzn1.noarch  
    gitweb-2.4.3-7.42.amzn1.noarch  
    emacs-git-el-2.4.3-7.42.amzn1.noarch  
    git-p4-2.4.3-7.42.amzn1.noarch  
    perl-Git-2.4.3-7.42.amzn1.noarch  
    git-bzr-2.4.3-7.42.amzn1.noarch  
    git-cvs-2.4.3-7.42.amzn1.noarch  
    perl-Git-SVN-2.4.3-7.42.amzn1.noarch  
  
src:  
    git-2.4.3-7.42.amzn1.src  
  
x86_64:  
    git-debuginfo-2.4.3-7.42.amzn1.x86_64  
    git-daemon-2.4.3-7.42.amzn1.x86_64  
    git-2.4.3-7.42.amzn1.x86_64  
    git-svn-2.4.3-7.42.amzn1.x86_64

Additional References

Red Hat: CVE-2015-7545

Mitre: CVE-2015-7545

OSVersionArchitecturePackageVersionFilename
Amazon Linux1i686git-debuginfo< 2.4.3-7.42.amzn1git-debuginfo-2.4.3-7.42.amzn1.i686.rpm
Amazon Linux1i686git-daemon< 2.4.3-7.42.amzn1git-daemon-2.4.3-7.42.amzn1.i686.rpm
Amazon Linux1i686git-svn< 2.4.3-7.42.amzn1git-svn-2.4.3-7.42.amzn1.i686.rpm
Amazon Linux1i686git< 2.4.3-7.42.amzn1git-2.4.3-7.42.amzn1.i686.rpm
Amazon Linux1noarchgit-email< 2.4.3-7.42.amzn1git-email-2.4.3-7.42.amzn1.noarch.rpm
Amazon Linux1noarchemacs-git< 2.4.3-7.42.amzn1emacs-git-2.4.3-7.42.amzn1.noarch.rpm
Amazon Linux1noarchgit-hg< 2.4.3-7.42.amzn1git-hg-2.4.3-7.42.amzn1.noarch.rpm
Amazon Linux1noarchgit-all< 2.4.3-7.42.amzn1git-all-2.4.3-7.42.amzn1.noarch.rpm
Amazon Linux1noarchgitweb< 2.4.3-7.42.amzn1gitweb-2.4.3-7.42.amzn1.noarch.rpm
Amazon Linux1noarchemacs-git-el< 2.4.3-7.42.amzn1emacs-git-el-2.4.3-7.42.amzn1.noarch.rpm

OS	Version	Architecture	Package	Version	Filename
Amazon Linux	1	i686	git-debuginfo	< 2.4.3-7.42.amzn1	git-debuginfo-2.4.3-7.42.amzn1.i686.rpm
Amazon Linux	1	i686	git-daemon	< 2.4.3-7.42.amzn1	git-daemon-2.4.3-7.42.amzn1.i686.rpm
Amazon Linux	1	i686	git-svn	< 2.4.3-7.42.amzn1	git-svn-2.4.3-7.42.amzn1.i686.rpm
Amazon Linux	1	i686	git	< 2.4.3-7.42.amzn1	git-2.4.3-7.42.amzn1.i686.rpm
Amazon Linux	1	noarch	git-email	< 2.4.3-7.42.amzn1	git-email-2.4.3-7.42.amzn1.noarch.rpm
Amazon Linux	1	noarch	emacs-git	< 2.4.3-7.42.amzn1	emacs-git-2.4.3-7.42.amzn1.noarch.rpm
Amazon Linux	1	noarch	git-hg	< 2.4.3-7.42.amzn1	git-hg-2.4.3-7.42.amzn1.noarch.rpm
Amazon Linux	1	noarch	git-all	< 2.4.3-7.42.amzn1	git-all-2.4.3-7.42.amzn1.noarch.rpm
Amazon Linux	1	noarch	gitweb	< 2.4.3-7.42.amzn1	gitweb-2.4.3-7.42.amzn1.noarch.rpm
Amazon Linux	1	noarch	emacs-git-el	< 2.4.3-7.42.amzn1	emacs-git-el-2.4.3-7.42.amzn1.noarch.rpm