USN-3438-1: Git vulnerability | Cloud Foundry

2017-10-06T00:00:00
ID CFOUNDRY:C7C8B32CB5620BC0DBF4628242A0032D
Type cloudfoundry
Reporter Cloud Foundry
Modified 2017-10-06T00:00:00

Description

Severity

Medium

Vendor

Canonical Ubuntu

Versions Affected

  • Canonical Ubuntu 14.04

Description

It was discovered that Git incorrectly handled certain subcommands such as cvsserver. A remote attacker could possibly use this issue via shell metacharacters in modules names to execute arbitrary code.

This update also removes the cvsserver subcommand from git-shell by default.

Affected Cloud Foundry Products and Versions

Severity is medium unless otherwise noted.

  • All versions of Cloud Foundry cflinuxfs2 prior to 1.159.0

Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

  • The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 version 1.159.0 or later.

References