CVE-2017-14867

Published: 28 September 2017

Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.

Priority

CVSS 3 base score: 8.8

Status

Package	Release	Status
git Launchpad, Ubuntu, Debian	Upstream	Released (1:2.14.2-1)




	Ubuntu 16.04 ESM (Xenial Xerus)	Released (1:2.7.4-0ubuntu1.3)
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist (trusty was released [1:1.9.1-1ubuntu0.7])
	Patches: Vendor: http://repo.or.cz/git/debian.git/commit/ad86ba2e77a442db38510bcc5e5283872df49d88

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14867
http://www.openwall.com/lists/oss-security/2017/09/26/9
https://public-inbox.org/git/xmqqy3p29ekj.fsf@gitster.mtv.corp.google.com/T/#u
https://lists.debian.org/debian-security-announce/2017/msg00246.html
https://www.debian.org/security/2017/dsa-3984
https://ubuntu.com/security/notices/USN-3438-1
NVD
Launchpad
Debian

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876854
https://bugs.launchpad.net/ubuntu/+source/git/+bug/1719740

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›