The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule.
lists.opensuse.org/opensuse-updates/2015-11/msg00066.html
rhn.redhat.com/errata/RHSA-2015-2515.html
www.debian.org/security/2016/dsa-3435
www.openwall.com/lists/oss-security/2015/12/08/5
www.openwall.com/lists/oss-security/2015/12/09/8
www.openwall.com/lists/oss-security/2015/12/11/7
www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
www.securityfocus.com/bid/78711
www.securitytracker.com/id/1034501
www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.533255
www.ubuntu.com/usn/USN-2835-1
bugzilla.redhat.com/show_bug.cgi?id=1269794
github.com/git/git/blob/master/Documentation/RelNotes/2.3.10.txt
github.com/git/git/blob/master/Documentation/RelNotes/2.4.10.txt
github.com/git/git/blob/master/Documentation/RelNotes/2.5.4.txt
github.com/git/git/blob/master/Documentation/RelNotes/2.6.1.txt
kernel.googlesource.com/pub/scm/git/git/+/33cfccbbf35a56e190b79bdec5c85457c952a021
lkml.org/lkml/2015/10/5/683
security.gentoo.org/glsa/201605-01