Detections
Analytics

Fedora 25 : git (2017-66aa5d1d33)

high Nessus Plugin ID 103897

Language:

Synopsis

The remote Fedora host is missing a security update.

Description

These releases are about hardening `git shell` that is used on servers against an unsafe user input, which `git cvsserver` copes with poorly.

From the release notes :

 - 'git cvsserver' no longer is invoked by 'git shell' by default, as it is old and largely unmaintained.

 - Various Perl scripts did not use safe_pipe_capture() instead of backticks, leaving them susceptible to end-user input. They have been corrected. Credits go to joernchen <[email protected]> for finding the unsafe constructs in 'git cvsserver', and to Jeff King at GitHub for finding and fixing instances of the same issue in other scripts.

References :

<http://seclists.org/oss-sec/2017/q3/534> <https://public-inbox.org/git/[email protected] .com/>

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected git package.

See Also

https://seclists.org/oss-sec/2017/q3/534>

https://bodhi.fedoraproject.org/updates/FEDORA-2017-66aa5d1d33

http://www.nessus.org/u?dedeed43

Plugin Details

Severity: High

ID: 103897

File Name: fedora_2017-66aa5d1d33.nasl

Version: 3.5

Type: local

Agent: unix

Published: 10/18/2017

Updated: 1/6/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:git, cpe:/o:fedoraproject:fedora:25

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Patch Publication Date: 10/11/2017

Vulnerability Publication Date: 10/11/2017

Reference Information