http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701586

APPLE-SA-2013-09-18-3

openSUSE-SU-2013:0380

openSUSE-SU-2013:0382

[ANNOUNCE] 20130220 Git v1.8.1.4

RHSA-2013:0589

52361

52443

52467

http://support.apple.com/kb/HT5937

http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html

58148

1028205

https://bugzilla.novell.com/show_bug.cgi?id=804730

https://bugzilla.redhat.com/show_bug.cgi?id=909977

git-gitimapsend-spoofing(82329)

https://raw.github.com/git/git/master/Documentation/RelNotes/1.8.1.4.txt

git imap-send was fixed to do SSL host verification.

This can be disabled if necessary in the config file.

The remote Mac OS X host has Apple Xcode prior to 5.0 installed. It, therefore, includes a version of git in which the imap-send command reportedly does not verify that a server hostname matches the domain name in its X.509 certificate. A man-in-the-middle attacker could leverage this vulnerability to spoof SSL servers via an arbitrary valid certificate.

From Red Hat Security Advisory 2013:0589 :

Updated git packages that fix one security issue are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Git is a fast, scalable, distributed revision control system.

It was discovered that Git's git-imap-send command, a tool to send a collection of patches from standard input (stdin) to an IMAP folder, did not properly perform SSL X.509 v3 certificate validation on the IMAP server's certificate, as it did not ensure that the server's hostname matched the one provided in the CN field of the server's certificate. A rogue server could use this flaw to conduct man-in-the-middle attacks, possibly leading to the disclosure of sensitive information. (CVE-2013-0308)

All git users should upgrade to these updated packages, which contain a backported patch to correct this issue.

Updated git packages that fix one security issue are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Git is a fast, scalable, distributed revision control system.

It was discovered that Git's git-imap-send command, a tool to send a collection of patches from standard input (stdin) to an IMAP folder, did not properly perform SSL X.509 v3 certificate validation on the IMAP server's certificate, as it did not ensure that the server's hostname matched the one provided in the CN field of the server's certificate. A rogue server could use this flaw to conduct man-in-the-middle attacks, possibly leading to the disclosure of sensitive information. (CVE-2013-0308)

All git users should upgrade to these updated packages, which contain a backported patch to correct this issue.

It was discovered that Git's git-imap-send command, a tool to send a collection of patches from standard input (stdin) to an IMAP folder, did not properly perform SSL X.509 v3 certificate validation on the IMAP server's certificate, as it did not ensure that the server's hostname matched the one provided in the CN field of the server's certificate. A rogue server could use this flaw to conduct man-in-the-middle attacks, possibly leading to the disclosure of sensitive information. (CVE-2013-0308)

This update fixes CVE-2013-0308 (Incorrect IMAP server's SSL x509.v3 certificate validation in git-imap-send command).

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
74912	openSUSE Security Update : git (openSUSE-SU-2013:0380-1)	Nessus	SuSE Local Security Checks	medium
70093	Apple Xcode < 5.0 (Mac OS X)	Nessus	MacOS X Local Security Checks	medium
68770	Oracle Linux 6 : git (ELSA-2013-0589)	Nessus	Oracle Linux Local Security Checks	medium
65160	CentOS 6 : git (CESA-2013:0589)	Nessus	CentOS Local Security Checks	medium
65018	Scientific Linux Security Update : git on SL6.x i386/x86_64 (20130304)	Nessus	Scientific Linux Local Security Checks	medium
65006	RHEL 6 : git (RHSA-2013:0589)	Nessus	Red Hat Local Security Checks	medium
64981	Fedora 18 : git-1.8.1.4-1.fc18 (2013-2829)	Nessus	Fedora Local Security Checks	medium
64976	Fedora 17 : git-1.7.11.7-3.fc17 (2013-2763)	Nessus	Fedora Local Security Checks	medium

CVE-2013-0308

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Tenable Plugins

medium

medium

medium

medium

medium

medium

medium

medium