GIT 2.3.1 - Code Execution Vulnerability

GIT 2.3.1 - Code Execution Vulnerability

[christian.del.vecchio]

dear Team

I am Christian Del Vecchio,and i work in the infrastructure of Middleware on Zurich.
we have installed in our system Sun your product in order to connect to our bitbucket repository.

we have followed the instruction provided on your Web Page:

https://git-scm.com/download/linux
pkgutil -i git

the version installed is the 2.3.1, and actually it works.

but last week our security team informed that this software didn't pass the check control due: Git Server and Client Remote Code Execution Vulnerability


please, is it available a newer version that fix this problem?

our system is: Sun Solaris v10 sparc

best regards
__________________________________________ 

Christian Del Vecchio 
Middleware SME 

Zurich Insurance Group Ltd. 
bac de Roda 58, 
Building C, 4th floor 
08019 Barcelona, Spain 

64402 (internal) 
+34 93 4465402 (direct) 
christian.del.vecchio@zurich.com 
http://www.zurich.com 

Re: GIT 2.3.1 - Code Execution Vulnerability

[Santiago Torres]

[-- Attachment #1: Type: text/plain, Size: 1751 bytes --]

Hi, Christian.

They are probably talking about one of these[1][2]. I don't have access
to a solaris machine right now, so I don't know which is the latest
version they ship, but they probably backported patches. 

Here we can't do much more about it, given that the packagers for your
solaris version are the ones (possibly) packaging 2.3.1. I'd email or
open a ticket with Oracle after making sure they 1) haven't backported
patches to fix these, or 2) don't have a newer version in their
repositories.

Cheers!
-Santiago.


[1] https://security.archlinux.org/CVE-2017-1000117
[2] https://nvd.nist.gov/vuln/detail/CVE-2016-2324

On Thu, Jan 25, 2018 at 06:02:34PM +0100, christian.del.vecchio@zurich.com wrote:
> dear Team
> 
> I am Christian Del Vecchio,and i work in the infrastructure of Middleware on Zurich.
> we have installed in our system Sun your product in order to connect to our bitbucket repository.
> 
> we have followed the instruction provided on your Web Page:
> 
> https://git-scm.com/download/linux
> pkgutil -i git
> 
> the version installed is the 2.3.1, and actually it works.
> 
> but last week our security team informed that this software didn't pass the check control due: Git Server and Client Remote Code Execution Vulnerability
> 
> 
> please, is it available a newer version that fix this problem?
> 
> our system is: Sun Solaris v10 sparc
> 
> best regards
> __________________________________________ 
> 
> Christian Del Vecchio 
> Middleware SME 
> 
> Zurich Insurance Group Ltd. 
> bac de Roda 58, 
> Building C, 4th floor 
> 08019 Barcelona, Spain 
> 
> 64402 (internal) 
> +34 93 4465402 (direct) 
> christian.del.vecchio@zurich.com 
> http://www.zurich.com 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

RE: GIT 2.3.1 - Code Execution Vulnerability

[Dyer, Edwin]

Current Solaris 10/11 version of Git is 2.4.0:

https://www.opencsw.org/package/git/


Ed Dyer
Associate DevOps Engineer

Alliance Data Retail Services
3075 Loyalty Circle, Columbus OH 43219
Office: 614-944-3923| Mobile: 614-432-3862



-----Original Message-----
From: git-owner@vger.kernel.org [mailto:git-owner@vger.kernel.org] On Behalf Of Santiago Torres
Sent: Thursday, January 25, 2018 12:21 PM
To: christian.del.vecchio@zurich.com
Cc: git@vger.kernel.org
Subject: Re: GIT 2.3.1 - Code Execution Vulnerability

Hi, Christian.

They are probably talking about one of these[1][2]. I don't have access to a solaris machine right now, so I don't know which is the latest version they ship, but they probably backported patches. 

Here we can't do much more about it, given that the packagers for your solaris version are the ones (possibly) packaging 2.3.1. I'd email or open a ticket with Oracle after making sure they 1) haven't backported patches to fix these, or 2) don't have a newer version in their repositories.

Cheers!
-Santiago.


[1] https://security.archlinux.org/CVE-2017-1000117
[2] https://nvd.nist.gov/vuln/detail/CVE-2016-2324

On Thu, Jan 25, 2018 at 06:02:34PM +0100, christian.del.vecchio@zurich.com wrote:
> dear Team
> 
> I am Christian Del Vecchio,and i work in the infrastructure of Middleware on Zurich.
> we have installed in our system Sun your product in order to connect to our bitbucket repository.
> 
> we have followed the instruction provided on your Web Page:
> 
> https://git-scm.com/download/linux
> pkgutil -i git
> 
> the version installed is the 2.3.1, and actually it works.
> 
> but last week our security team informed that this software didn't 
> pass the check control due: Git Server and Client Remote Code 
> Execution Vulnerability
> 
> 
> please, is it available a newer version that fix this problem?
> 
> our system is: Sun Solaris v10 sparc
> 
> best regards
> __________________________________________
> 
> Christian Del Vecchio
> Middleware SME
> 
> Zurich Insurance Group Ltd. 
> bac de Roda 58,
> Building C, 4th floor
> 08019 Barcelona, Spain
> 
> 64402 (internal)
> +34 93 4465402 (direct)
> christian.del.vecchio@zurich.com
> http://www.zurich.com

______________________________________________________________________
The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
______________________________________________________________________