Sunday, September 26, 2010

[SECURITY] [DSA-2114-1] New git-core packages fix regression

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-2114-1 security@debian.org
http://www.debian.org/security/ Stefan Fritsch
September 26, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : git-core
Vulnerability : buffer overflow
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2010-2542
Debian bug : 595728 590026

The Debian stable point release 5.0.6 included updated packages of
the Git revision control system in order to fix a security issue.
Unfortunately, the update introduced a regression which could make
it impossible to clone or create git repositories. This upgrade
fixes this regression, which is tracked as Debian bug #595728.

The original security issue allowed an attacker to execute arbitrary
code if he could trick a local user to execute a git command in a
crafted working directory (CVE-2010-2542).

For the stable distribution (lenny), this problem has been fixed in
version 1.5.6.5-3+lenny3.2.

The packages for the hppa architecture are not included in this
advisory. However, the hppa architecture is not known to be affected
by the regression.

For the testing distribution (squeeze) and the unstable distribution
(sid), the security issue has been fixed in version 1.7.1-1.1. These
distributions were not affected by the regression.

We recommend that you upgrade your git-core packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 (stable) alias lenny
- -----------------------------------------

Stable updates are available for alpha, amd64, arm, armel, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2.dsc
Size/MD5 checksum: 1332 1ca802be6d1039154fea0f867fc1c3cf
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5.orig.tar.gz
Size/MD5 checksum: 2103619 c22da91c913a02305fd8a1a2298f75c9
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2.diff.gz
Size/MD5 checksum: 228860 778ce77061180906a2aae9f22c606e93

Architecture independent packages:

http://security.debian.org/pool/updates/main/g/git-core/git-cvs_1.5.6.5-3+lenny3.2_all.deb
Size/MD5 checksum: 267472 3c95d2a6bd41b0275c7f8e95ef12efa4
http://security.debian.org/pool/updates/main/g/git-core/git-gui_1.5.6.5-3+lenny3.2_all.deb
Size/MD5 checksum: 402182 634c011ec7a8ae782b0bff0be2134078
http://security.debian.org/pool/updates/main/g/git-core/git-arch_1.5.6.5-3+lenny3.2_all.deb
Size/MD5 checksum: 231542 a53d6f8319c8dd5182cdc224513d5bfd
http://security.debian.org/pool/updates/main/g/git-core/git-daemon-run_1.5.6.5-3+lenny3.2_all.deb
Size/MD5 checksum: 218012 3b291893958b61fbe4825e7774ea2e9b
http://security.debian.org/pool/updates/main/g/git-core/gitweb_1.5.6.5-3+lenny3.2_all.deb
Size/MD5 checksum: 269864 2c9d96e08c55e34a83270cc34ce38463
http://security.debian.org/pool/updates/main/g/git-core/git-svn_1.5.6.5-3+lenny3.2_all.deb
Size/MD5 checksum: 268424 ad015248dfc153c22f4a95927c288912
http://security.debian.org/pool/updates/main/g/git-core/git-doc_1.5.6.5-3+lenny3.2_all.deb
Size/MD5 checksum: 1249010 a4986335fde6824c01bb1dec115c0314
http://security.debian.org/pool/updates/main/g/git-core/git-email_1.5.6.5-3+lenny3.2_all.deb
Size/MD5 checksum: 229804 e81867cadc7426d6361ac1dbbccce1c7
http://security.debian.org/pool/updates/main/g/git-core/gitk_1.5.6.5-3+lenny3.2_all.deb
Size/MD5 checksum: 301022 dd567de6cd446f8362127f5f5876dae2

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_alpha.deb
Size/MD5 checksum: 3809306 2910ff0e823c7b56eee4ceb51e6be806

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_amd64.deb
Size/MD5 checksum: 3419816 ba89829009b57237c5a0630eb01c01c3

arm architecture (ARM)

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_arm.deb
Size/MD5 checksum: 3042360 5be0e0673a32062ad9ec56c0feee2a69

armel architecture (ARM EABI)

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_armel.deb
Size/MD5 checksum: 3071030 168f3edcc71842c4a09b5d656a639be0

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_i386.deb
Size/MD5 checksum: 3140010 429887ce79db588352636d24bcd42df7

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_ia64.deb
Size/MD5 checksum: 4760744 4cd6c9386efdd3d684b616a2928c4fe9

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_mips.deb
Size/MD5 checksum: 3417818 376e6c42f288898369b61b4f6203b2ae

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_mipsel.deb
Size/MD5 checksum: 3421030 7578fae97f13c3fd21245c9be7e50503

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_powerpc.deb
Size/MD5 checksum: 3482142 92729277795f88ca818304bcf3c6fda8

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_s390.deb
Size/MD5 checksum: 3422802 05720c1cea472a17406fb2c0a917b4c2

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_sparc.deb
Size/MD5 checksum: 3077076 7db8d2a588021c019561fe370baf81af


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFMn5cEbxelr8HyTqQRAgoLAKC1M6bR/VNriOulksumyribvvUBNACfZjlF
4kTh06lGitMNsey04BHdLUY=
=AofO
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/E1OzwPK-0003hA-5m@chopin.debian.org

No comments:

Post a Comment