Red Hat Product Errata RHSA-2017:2491 - Security Advisory

Issued:: 2017-08-17
Updated:: 2017-08-17

RHSA-2017:2491 - Security Advisory

Overview
Updated Packages

Synopsis

Important: rh-git29-git security update

Type/Severity

Security Advisory: Important

Topic

An update for rh-git29-git is now available for Red Hat Software Collections.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.

Security Fix(es):

A shell command injection flaw related to the handling of "ssh" URLs has been discovered in Git. An attacker could use this flaw to execute shell commands with the privileges of the user running the Git client, for example, when performing a "clone" action on a malicious repository or a legitimate repository containing a malicious commit. (CVE-2017-1000117)
A flaw was found in the way git-shell handled command-line options for the restricted set of git-shell commands. A remote, authenticated attacker could use this flaw to bypass git-shell restrictions, to view and manipulate files, by abusing the instance of the less command launched using crafted command-line options. (CVE-2017-8386)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
Red Hat Software Collections (for RHEL Server) 1 for RHEL 6 x86_64
Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64
Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 6 x86_64

Fixes

BZ - 1450407 - CVE-2017-8386 git: Escape out of git-shell
BZ - 1480386 - CVE-2017-1000117 git: Command injection via malicious ssh URLs

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7

SRPM
rh-git29-git-2.9.3-3.el7.src.rpm	SHA-256: ac8ae9286d98f56dc08b417c56a374d462976620b8c0fcdf2598d0a5c4c6b7d1
x86_64
rh-git29-git-2.9.3-3.el7.x86_64.rpm	SHA-256: bcc04c6085de19cba6ffd80aa43f174fd6bb84a780ca541383631c1630d03e1a
rh-git29-git-all-2.9.3-3.el7.noarch.rpm	SHA-256: 53ba021aad1071a4ec50e9dc5f3defa629ef604fe17e2ce7d339e42c303ba8a5
rh-git29-git-core-2.9.3-3.el7.x86_64.rpm	SHA-256: 7f94df8f5751dcabfec9f392a69468f9af2d7ae73c296ef16eefbfd81a458937
rh-git29-git-core-doc-2.9.3-3.el7.x86_64.rpm	SHA-256: 2e51ef1f78c0eba41abebce4f27fd87050d7e9bd7cbf0e5b9021a90e88ece008
rh-git29-git-cvs-2.9.3-3.el7.noarch.rpm	SHA-256: 750724af2916c3bb57454493dc1afa3cdeca00222c92b8d685327f782273fe8d
rh-git29-git-daemon-2.9.3-3.el7.x86_64.rpm	SHA-256: c2f8c0856767c753e42b6d66585046ec4defb05a42177b740286369fe9888278
rh-git29-git-debuginfo-2.9.3-3.el7.x86_64.rpm	SHA-256: a70e38089d3dfa74288cf77aaf49bf0080702aed6b83faa3beab7be6b577ca84
rh-git29-git-email-2.9.3-3.el7.noarch.rpm	SHA-256: 27d0e319c724695641f06aab86deb1ea3a79c970c8e1a26f8e16a74c54066b45
rh-git29-git-gui-2.9.3-3.el7.noarch.rpm	SHA-256: f536a481dbd37a96d2c7602c8ed1d61ea016a0bd7ea63c65e926f1ebe1d9632d
rh-git29-git-p4-2.9.3-3.el7.noarch.rpm	SHA-256: 7d1ff5505c31dff8d93ec5bff954a7e803816e9b5b37ad945bc9c7dd974b5a49
rh-git29-git-svn-2.9.3-3.el7.x86_64.rpm	SHA-256: 5e15ea9df7a6bb54d5c277cc8308398f0a20d5ab8a453cfb6cfbfb8a213b87e0
rh-git29-gitk-2.9.3-3.el7.noarch.rpm	SHA-256: fa9f1a742be7bd43ea73ad6876034d5b0f44f91bef59896aadf30522efe8996e
rh-git29-gitweb-2.9.3-3.el7.noarch.rpm	SHA-256: e799096a52162e281002e6fcb0e62120a311940df0ad321ea1a178a0b9d21294
rh-git29-perl-Git-2.9.3-3.el7.noarch.rpm	SHA-256: d1d8db448acd79284b38e552bcea5ed73841e3134038dfe89c310c01de896e2a
rh-git29-perl-Git-SVN-2.9.3-3.el7.noarch.rpm	SHA-256: c96f8c765d58eb057af50c5b989755e7d1e452179f330b2e9df28cb14171f906

Red Hat Software Collections (for RHEL Server) 1 for RHEL 6

SRPM
rh-git29-git-2.9.3-3.el6.src.rpm	SHA-256: 6a18842f2723f1a28683a709ed5c0823a9a07ea93f8e5f07438a3e4d8763d90f
x86_64
rh-git29-emacs-git-2.9.3-3.el6.noarch.rpm	SHA-256: fa3633e14c8c546727ca9f417b5d62dcd3c0a26746e7149d43dd8d6e53b4a67e
rh-git29-emacs-git-el-2.9.3-3.el6.noarch.rpm	SHA-256: 441764c8f7276558ef0c3c3f8045b17db3383ae4d562b5192c10df90b2560081
rh-git29-git-2.9.3-3.el6.x86_64.rpm	SHA-256: 9b1bb31082a42c25b57122adccf585758b9bd42217e28e0b0e0fa4964a6faf18
rh-git29-git-all-2.9.3-3.el6.noarch.rpm	SHA-256: b6f385c9f66b0fd96a5aacbd75b3e6be9e8322f178eaf760fe7714a56e366738
rh-git29-git-core-2.9.3-3.el6.x86_64.rpm	SHA-256: a9adcd1edcbf50cc6178bdaeba0b89853b7ad8506dd6169a0fd2239699bc3475
rh-git29-git-core-doc-2.9.3-3.el6.x86_64.rpm	SHA-256: a6404b446f36e256805dc9ed173dbf0662c0342030bcdcd306b68bf99b258636
rh-git29-git-cvs-2.9.3-3.el6.noarch.rpm	SHA-256: 414700f1e95285192e13166555957e2c28f3e05bc0fdf3c8151778b7d86405ef
rh-git29-git-daemon-2.9.3-3.el6.x86_64.rpm	SHA-256: 98a11a6d3ff07401180822c17a78355a5e7370b4909dadec9e62000ab35df0c3
rh-git29-git-debuginfo-2.9.3-3.el6.x86_64.rpm	SHA-256: e04615ecc446d160ebcc18b2459c44925c39147d7b57c22c9dda70800507c7f9
rh-git29-git-email-2.9.3-3.el6.noarch.rpm	SHA-256: a38bc957d96824a0b0092b8691411dc86224783f18043b6e80e55f18d1f8f093
rh-git29-git-gui-2.9.3-3.el6.noarch.rpm	SHA-256: c55265272e2149314b1dc54ef5f54a4b29a85b0a2bebec3166412085d87fa793
rh-git29-git-p4-2.9.3-3.el6.noarch.rpm	SHA-256: 12e5c32cf533121c4ebe7e0d228cd510a9b4a6f2ee0b743e34abf6d103b3e499
rh-git29-git-svn-2.9.3-3.el6.x86_64.rpm	SHA-256: b3c455571143a18ef6f4868c6c773195a0ed83bddf3ed2de98939a2e41276e61
rh-git29-gitk-2.9.3-3.el6.noarch.rpm	SHA-256: d987e91e3180daa73c23dca62da5f14181d158fff05439d85d5338ae223a94ef
rh-git29-gitweb-2.9.3-3.el6.noarch.rpm	SHA-256: 49231c3b271877bddd7210398417249dead4e3d15063d0fb3a841721c91594ee
rh-git29-perl-Git-2.9.3-3.el6.noarch.rpm	SHA-256: 40dd6435d3a536327f14937b5839a62846f7ae978515ba8db62dee2ed455af05
rh-git29-perl-Git-SVN-2.9.3-3.el6.noarch.rpm	SHA-256: da54ac2191510445fb7af49d0bcb4a1773d01c0a505d54d494230184f695add6

Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7

SRPM
rh-git29-git-2.9.3-3.el7.src.rpm	SHA-256: ac8ae9286d98f56dc08b417c56a374d462976620b8c0fcdf2598d0a5c4c6b7d1
x86_64
rh-git29-git-2.9.3-3.el7.x86_64.rpm	SHA-256: bcc04c6085de19cba6ffd80aa43f174fd6bb84a780ca541383631c1630d03e1a
rh-git29-git-all-2.9.3-3.el7.noarch.rpm	SHA-256: 53ba021aad1071a4ec50e9dc5f3defa629ef604fe17e2ce7d339e42c303ba8a5
rh-git29-git-core-2.9.3-3.el7.x86_64.rpm	SHA-256: 7f94df8f5751dcabfec9f392a69468f9af2d7ae73c296ef16eefbfd81a458937
rh-git29-git-core-doc-2.9.3-3.el7.x86_64.rpm	SHA-256: 2e51ef1f78c0eba41abebce4f27fd87050d7e9bd7cbf0e5b9021a90e88ece008
rh-git29-git-cvs-2.9.3-3.el7.noarch.rpm	SHA-256: 750724af2916c3bb57454493dc1afa3cdeca00222c92b8d685327f782273fe8d
rh-git29-git-daemon-2.9.3-3.el7.x86_64.rpm	SHA-256: c2f8c0856767c753e42b6d66585046ec4defb05a42177b740286369fe9888278
rh-git29-git-debuginfo-2.9.3-3.el7.x86_64.rpm	SHA-256: a70e38089d3dfa74288cf77aaf49bf0080702aed6b83faa3beab7be6b577ca84
rh-git29-git-email-2.9.3-3.el7.noarch.rpm	SHA-256: 27d0e319c724695641f06aab86deb1ea3a79c970c8e1a26f8e16a74c54066b45
rh-git29-git-gui-2.9.3-3.el7.noarch.rpm	SHA-256: f536a481dbd37a96d2c7602c8ed1d61ea016a0bd7ea63c65e926f1ebe1d9632d
rh-git29-git-p4-2.9.3-3.el7.noarch.rpm	SHA-256: 7d1ff5505c31dff8d93ec5bff954a7e803816e9b5b37ad945bc9c7dd974b5a49
rh-git29-git-svn-2.9.3-3.el7.x86_64.rpm	SHA-256: 5e15ea9df7a6bb54d5c277cc8308398f0a20d5ab8a453cfb6cfbfb8a213b87e0
rh-git29-gitk-2.9.3-3.el7.noarch.rpm	SHA-256: fa9f1a742be7bd43ea73ad6876034d5b0f44f91bef59896aadf30522efe8996e
rh-git29-gitweb-2.9.3-3.el7.noarch.rpm	SHA-256: e799096a52162e281002e6fcb0e62120a311940df0ad321ea1a178a0b9d21294
rh-git29-perl-Git-2.9.3-3.el7.noarch.rpm	SHA-256: d1d8db448acd79284b38e552bcea5ed73841e3134038dfe89c310c01de896e2a
rh-git29-perl-Git-SVN-2.9.3-3.el7.noarch.rpm	SHA-256: c96f8c765d58eb057af50c5b989755e7d1e452179f330b2e9df28cb14171f906

Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 6

SRPM
rh-git29-git-2.9.3-3.el6.src.rpm	SHA-256: 6a18842f2723f1a28683a709ed5c0823a9a07ea93f8e5f07438a3e4d8763d90f
x86_64
rh-git29-emacs-git-2.9.3-3.el6.noarch.rpm	SHA-256: fa3633e14c8c546727ca9f417b5d62dcd3c0a26746e7149d43dd8d6e53b4a67e
rh-git29-emacs-git-el-2.9.3-3.el6.noarch.rpm	SHA-256: 441764c8f7276558ef0c3c3f8045b17db3383ae4d562b5192c10df90b2560081
rh-git29-git-2.9.3-3.el6.x86_64.rpm	SHA-256: 9b1bb31082a42c25b57122adccf585758b9bd42217e28e0b0e0fa4964a6faf18
rh-git29-git-all-2.9.3-3.el6.noarch.rpm	SHA-256: b6f385c9f66b0fd96a5aacbd75b3e6be9e8322f178eaf760fe7714a56e366738
rh-git29-git-core-2.9.3-3.el6.x86_64.rpm	SHA-256: a9adcd1edcbf50cc6178bdaeba0b89853b7ad8506dd6169a0fd2239699bc3475
rh-git29-git-core-doc-2.9.3-3.el6.x86_64.rpm	SHA-256: a6404b446f36e256805dc9ed173dbf0662c0342030bcdcd306b68bf99b258636
rh-git29-git-cvs-2.9.3-3.el6.noarch.rpm	SHA-256: 414700f1e95285192e13166555957e2c28f3e05bc0fdf3c8151778b7d86405ef
rh-git29-git-daemon-2.9.3-3.el6.x86_64.rpm	SHA-256: 98a11a6d3ff07401180822c17a78355a5e7370b4909dadec9e62000ab35df0c3
rh-git29-git-debuginfo-2.9.3-3.el6.x86_64.rpm	SHA-256: e04615ecc446d160ebcc18b2459c44925c39147d7b57c22c9dda70800507c7f9
rh-git29-git-email-2.9.3-3.el6.noarch.rpm	SHA-256: a38bc957d96824a0b0092b8691411dc86224783f18043b6e80e55f18d1f8f093
rh-git29-git-gui-2.9.3-3.el6.noarch.rpm	SHA-256: c55265272e2149314b1dc54ef5f54a4b29a85b0a2bebec3166412085d87fa793
rh-git29-git-p4-2.9.3-3.el6.noarch.rpm	SHA-256: 12e5c32cf533121c4ebe7e0d228cd510a9b4a6f2ee0b743e34abf6d103b3e499
rh-git29-git-svn-2.9.3-3.el6.x86_64.rpm	SHA-256: b3c455571143a18ef6f4868c6c773195a0ed83bddf3ed2de98939a2e41276e61
rh-git29-gitk-2.9.3-3.el6.noarch.rpm	SHA-256: d987e91e3180daa73c23dca62da5f14181d158fff05439d85d5338ae223a94ef
rh-git29-gitweb-2.9.3-3.el6.noarch.rpm	SHA-256: 49231c3b271877bddd7210398417249dead4e3d15063d0fb3a841721c91594ee
rh-git29-perl-Git-2.9.3-3.el6.noarch.rpm	SHA-256: 40dd6435d3a536327f14937b5839a62846f7ae978515ba8db62dee2ed455af05
rh-git29-perl-Git-SVN-2.9.3-3.el6.noarch.rpm	SHA-256: da54ac2191510445fb7af49d0bcb4a1773d01c0a505d54d494230184f695add6

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories