[SECURITY] [DLA 938-1] git security update

2017-05-1019:56:02

lists.debian.org

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

60.4%

JSON

Package : git
Version : 1:1.7.10.4-1+wheezy4
CVE ID : CVE-2017-8386

Timo Schmid of ERNW GmbH discovered that the Git git-shell, a restricted
login shell for Git-only SSH access, allows a user to run an interactive
pager by causing it to spawn "git upload-pack --help".

For Debian 7 "Wheezy", these problems have been fixed in version
1:1.7.10.4-1+wheezy4.

We recommend that you upgrade your git packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian8mipsgit< 1:2.1.4-2.1+deb8u3git_1:2.1.4-2.1+deb8u3_mips.deb
Debian8allgit-el< 1:2.1.4-2.1+deb8u3git-el_1:2.1.4-2.1+deb8u3_all.deb
Debian7allgitk< 1:1.7.10.4-1+wheezy4gitk_1:1.7.10.4-1+wheezy4_all.deb
Debian8amd64git< 1:2.1.4-2.1+deb8u3git_1:2.1.4-2.1+deb8u3_amd64.deb
Debian8allgit-mediawiki< 1:2.1.4-2.1+deb8u3git-mediawiki_1:2.1.4-2.1+deb8u3_all.deb
Debian8armelgit< 1:2.1.4-2.1+deb8u3git_1:2.1.4-2.1+deb8u3_armel.deb
Debian7allgit-all< 1:1.7.10.4-1+wheezy4git-all_1:1.7.10.4-1+wheezy4_all.deb
Debian7allgit-gui< 1:1.7.10.4-1+wheezy4git-gui_1:1.7.10.4-1+wheezy4_all.deb
Debian7allgitweb< 1:1.7.10.4-1+wheezy4gitweb_1:1.7.10.4-1+wheezy4_all.deb
Debian8allgit-man< 1:2.1.4-2.1+deb8u3git-man_1:2.1.4-2.1+deb8u3_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	mips	git	< 1:2.1.4-2.1+deb8u3	git_1:2.1.4-2.1+deb8u3_mips.deb
Debian	8	all	git-el	< 1:2.1.4-2.1+deb8u3	git-el_1:2.1.4-2.1+deb8u3_all.deb
Debian	7	all	gitk	< 1:1.7.10.4-1+wheezy4	gitk_1:1.7.10.4-1+wheezy4_all.deb
Debian	8	amd64	git	< 1:2.1.4-2.1+deb8u3	git_1:2.1.4-2.1+deb8u3_amd64.deb
Debian	8	all	git-mediawiki	< 1:2.1.4-2.1+deb8u3	git-mediawiki_1:2.1.4-2.1+deb8u3_all.deb
Debian	8	armel	git	< 1:2.1.4-2.1+deb8u3	git_1:2.1.4-2.1+deb8u3_armel.deb
Debian	7	all	git-all	< 1:1.7.10.4-1+wheezy4	git-all_1:1.7.10.4-1+wheezy4_all.deb
Debian	7	all	git-gui	< 1:1.7.10.4-1+wheezy4	git-gui_1:1.7.10.4-1+wheezy4_all.deb
Debian	7	all	gitweb	< 1:1.7.10.4-1+wheezy4	gitweb_1:1.7.10.4-1+wheezy4_all.deb
Debian	8	all	git-man	< 1:2.1.4-2.1+deb8u3	git-man_1:2.1.4-2.1+deb8u3_all.deb