Security update for git SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:2182-1 Final 1 1 2017-08-16T18:09:26Z current 2017-08-16T18:09:26Z 2017-08-16T18:09:26Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for git This update for git fixes the following security issues: - CVE-2017-1000117: A malicious third-party could have caused a git client to execute arbitrary commands via crafted 'ssh://...' URLs, including submodules (boo#1052481) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2017-08/msg00050.html E-Mail link for openSUSE-SU-2017:2182-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 git-2.13.5-3.1 git-arch-2.13.5-3.1 git-core-2.13.5-3.1 git-credential-gnome-keyring-2.13.5-3.1 git-cvs-2.13.5-3.1 git-daemon-2.13.5-3.1 git-doc-2.13.5-3.1 git-email-2.13.5-3.1 git-gui-2.13.5-3.1 git-svn-2.13.5-3.1 git-web-2.13.5-3.1 gitk-2.13.5-3.1 git-2.13.5-3.1 as a component of openSUSE Leap 42.3 git-arch-2.13.5-3.1 as a component of openSUSE Leap 42.3 git-core-2.13.5-3.1 as a component of openSUSE Leap 42.3 git-credential-gnome-keyring-2.13.5-3.1 as a component of openSUSE Leap 42.3 git-cvs-2.13.5-3.1 as a component of openSUSE Leap 42.3 git-daemon-2.13.5-3.1 as a component of openSUSE Leap 42.3 git-doc-2.13.5-3.1 as a component of openSUSE Leap 42.3 git-email-2.13.5-3.1 as a component of openSUSE Leap 42.3 git-gui-2.13.5-3.1 as a component of openSUSE Leap 42.3 git-svn-2.13.5-3.1 as a component of openSUSE Leap 42.3 git-web-2.13.5-3.1 as a component of openSUSE Leap 42.3 gitk-2.13.5-3.1 as a component of openSUSE Leap 42.3 A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the vulnerability. CVE-2017-1000117 openSUSE Leap 42.3:git-2.13.5-3.1 openSUSE Leap 42.3:git-arch-2.13.5-3.1 openSUSE Leap 42.3:git-core-2.13.5-3.1 openSUSE Leap 42.3:git-credential-gnome-keyring-2.13.5-3.1 openSUSE Leap 42.3:git-cvs-2.13.5-3.1 openSUSE Leap 42.3:git-daemon-2.13.5-3.1 openSUSE Leap 42.3:git-doc-2.13.5-3.1 openSUSE Leap 42.3:git-email-2.13.5-3.1 openSUSE Leap 42.3:git-gui-2.13.5-3.1 openSUSE Leap 42.3:git-svn-2.13.5-3.1 openSUSE Leap 42.3:git-web-2.13.5-3.1 openSUSE Leap 42.3:gitk-2.13.5-3.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-08/msg00050.html https://www.suse.com/security/cve/CVE-2017-1000117.html CVE-2017-1000117 https://bugzilla.suse.com/1052481 SUSE Bug 1052481 https://bugzilla.suse.com/1052696 SUSE Bug 1052696 https://bugzilla.suse.com/1052932 SUSE Bug 1052932 https://bugzilla.suse.com/1053364 SUSE Bug 1053364 https://bugzilla.suse.com/1053600 SUSE Bug 1053600 https://bugzilla.suse.com/1053919 SUSE Bug 1053919 https://bugzilla.suse.com/1058214 SUSE Bug 1058214 https://bugzilla.suse.com/1066430 SUSE Bug 1066430 https://bugzilla.suse.com/1071709 SUSE Bug 1071709