Security update for libgit2 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:0484-1 Final 1 1 2017-02-16T20:54:15Z current 2017-02-16T20:54:15Z 2017-02-16T20:54:15Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libgit2 This update for libgit2 fixes the several issues. These security issues were fixed: - CVE-2016-10128: Additional sanitization prevent some edge cases in the Git Smart Protocol which can lead to reading outside of a buffer (bsc#1019036). - CVE-2016-10129: Additional sanitization prevent some edge cases in the Git Smart Protocol which can lead to reading outside of a buffer (bsc#1019036). - CVE-2016-10130: When using the custom certificate callback or when using pygit2 or git2go a attacker could have caused an invalid certificate to be accepted (bsc#1019037). - CVE-2017-5338: When using the custom certificate callback or when using pygit2 or git2go a attacker could have caused an invalid certificate to be accepted (bsc#1019037). - CVE-2017-5339: When using the custom certificate callback or when using pygit2 or git2go a attacker could have caused an invalid certificate to be accepted (bsc#1019037). This update was imported from the SUSE:SLE-12-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-02/msg00072.html E-Mail link for openSUSE-SU-2017:0484-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 libgit2-0.24.1-6.1 libgit2-24-0.24.1-6.1 libgit2-24-32bit-0.24.1-6.1 libgit2-devel-0.24.1-6.1 libgit2-0.24.1-6.1 as a component of openSUSE Leap 42.2 libgit2-24-0.24.1-6.1 as a component of openSUSE Leap 42.2 libgit2-24-32bit-0.24.1-6.1 as a component of openSUSE Leap 42.2 libgit2-devel-0.24.1-6.1 as a component of openSUSE Leap 42.2 Buffer overflow in the git_pkt_parse_line function in transports/smart_pkt.c in the Git Smart Protocol support in libgit2 before 0.24.6 and 0.25.x before 0.25.1 allows remote attackers to have unspecified impact via a crafted non-flush packet. CVE-2016-10128 openSUSE Leap 42.2:libgit2-0.24.1-6.1 openSUSE Leap 42.2:libgit2-24-0.24.1-6.1 openSUSE Leap 42.2:libgit2-24-32bit-0.24.1-6.1 openSUSE Leap 42.2:libgit2-devel-0.24.1-6.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-02/msg00072.html https://www.suse.com/security/cve/CVE-2016-10128.html CVE-2016-10128 https://bugzilla.suse.com/1019036 SUSE Bug 1019036 The Git Smart Protocol support in libgit2 before 0.24.6 and 0.25.x before 0.25.1 allows remote attackers to cause a denial of service (NULL pointer dereference) via an empty packet line. CVE-2016-10129 openSUSE Leap 42.2:libgit2-0.24.1-6.1 openSUSE Leap 42.2:libgit2-24-0.24.1-6.1 openSUSE Leap 42.2:libgit2-24-32bit-0.24.1-6.1 openSUSE Leap 42.2:libgit2-devel-0.24.1-6.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-02/msg00072.html https://www.suse.com/security/cve/CVE-2016-10129.html CVE-2016-10129 https://bugzilla.suse.com/1019036 SUSE Bug 1019036 The http_connect function in transports/http.c in libgit2 before 0.24.6 and 0.25.x before 0.25.1 might allow man-in-the-middle attackers to spoof servers by leveraging clobbering of the error variable. CVE-2016-10130 openSUSE Leap 42.2:libgit2-0.24.1-6.1 openSUSE Leap 42.2:libgit2-24-0.24.1-6.1 openSUSE Leap 42.2:libgit2-24-32bit-0.24.1-6.1 openSUSE Leap 42.2:libgit2-devel-0.24.1-6.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-02/msg00072.html https://www.suse.com/security/cve/CVE-2016-10130.html CVE-2016-10130 https://bugzilla.suse.com/1019037 SUSE Bug 1019037 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. CVE-2017-5338 openSUSE Leap 42.2:libgit2-0.24.1-6.1 openSUSE Leap 42.2:libgit2-24-0.24.1-6.1 openSUSE Leap 42.2:libgit2-24-32bit-0.24.1-6.1 openSUSE Leap 42.2:libgit2-devel-0.24.1-6.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-02/msg00072.html https://www.suse.com/security/cve/CVE-2017-5338.html CVE-2017-5338 https://bugzilla.suse.com/1019037 SUSE Bug 1019037 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. CVE-2017-5339 openSUSE Leap 42.2:libgit2-0.24.1-6.1 openSUSE Leap 42.2:libgit2-24-0.24.1-6.1 openSUSE Leap 42.2:libgit2-24-32bit-0.24.1-6.1 openSUSE Leap 42.2:libgit2-devel-0.24.1-6.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-02/msg00072.html https://www.suse.com/security/cve/CVE-2017-5339.html CVE-2017-5339 https://bugzilla.suse.com/1019037 SUSE Bug 1019037