--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2019-c841bcc3b9
2019-12-18 01:52:04.721087
--------------------------------------------------------------------------------
Name : git
Product : Fedora 31
Version : 2.24.1
Release : 1.fc31
URL :
https://git-scm.com/
Summary : Fast Version Control System
Description :
Git is a fast, scalable, distributed revision control system with an
unusually rich command set that provides both high-level operations
and full access to internals.
The git rpm installs common set of tools which are usually using with
small amount of dependencies. To install all git packages, including
tools for integrating with other SCMs, install the git-all meta-package.
--------------------------------------------------------------------------------
Update Information:
Per the upstream release announcement��, this release fixes "various security
flaws, which allowed an attacker to overwrite arbitrary paths, remotely execute
code, and/or overwrite files in the .git/ directory etc. See the release notes
attached for the list for their descriptions and CVE identifiers." Refer to the
2.14.6 release notes�� for details on these vulnerabilities and the 2.24.0
release notes�� for details on other improvements and fixes since 2.23.0. ��
https://lore.kernel.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/ ��
https://www.kernel.org/pub/software/scm/git/docs/RelNotes/2.14.6.txt ��
https://www.kernel.org/pub/software/scm/git/docs/RelNotes/2.24.0.txt
--------------------------------------------------------------------------------
ChangeLog:
* Tue Dec 10 2019 Todd Zullinger <tmz(a)pobox.com> - 2.24.1-1
- update to 2.24.1 (CVE-2019-1348, CVE-2019-1349, CVE-2019-1350, CVE-2019-1351,
CVE-2019-1352, CVE-2019-1353, CVE-2019-1354, and CVE-2019-1387)
* Wed Dec 4 2019 Todd Zullinger <tmz(a)pobox.com> - 2.24.0-2
- restore jgit BR for use in tests
* Mon Nov 4 2019 Todd Zullinger <tmz(a)pobox.com> - 2.24.0-1
- update to 2.24.0
* Thu Oct 31 2019 Todd Zullinger <tmz(a)pobox.com> - 2.24.0-0.2.rc2
- update to 2.24.0-rc2
* Sun Oct 27 2019 Todd Zullinger <tmz(a)pobox.com> - 2.24.0-0.1.rc1.1
- disable linkchecker on all EL releases
* Thu Oct 24 2019 Todd Zullinger <tmz(a)pobox.com> - 2.24.0-0.1.rc1
- update to 2.24.0-rc1
- skip failing test in t7812-grep-icase-non-ascii on s390x
- gitk: add Requires: git-gui (#1765113)
* Sat Oct 19 2019 Todd Zullinger <tmz(a)pobox.com> - 2.24.0-0.0.rc0
- update to 2.24.0-rc0
- fix t0500-progress-display on big-endian arches
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1781966 - CVE-2019-1353 git: NTFS protections inactive when running Git in
the Windows Subsystem for Linux
https://bugzilla.redhat.com/show_bug.cgi?id=1781966
[ 2 ] Bug #1781968 - CVE-2019-1354 git: Git does not refuse to write out tracked files
with backlashes in filenames
https://bugzilla.redhat.com/show_bug.cgi?id=1781968
[ 3 ] Bug #1781971 - CVE-2019-19604 git: Recursive clone followed by a submodule update
could execute code contained within repository without the user explicitly consent
https://bugzilla.redhat.com/show_bug.cgi?id=1781971
[ 4 ] Bug #1781960 - CVE-2019-1351 git: Git mistakes some paths for relative paths
allowing writing outside of the worktree while cloning
https://bugzilla.redhat.com/show_bug.cgi?id=1781960
[ 5 ] Bug #1781963 - CVE-2019-1352 git: Files inside the .git directory may be
overwritten during cloning via NTFS Alternate Data Streams
https://bugzilla.redhat.com/show_bug.cgi?id=1781963
[ 6 ] Bug #1781958 - CVE-2019-1350 git: Incorrect quoting of command-line arguments
allowed remote code execution during a recursive clone
https://bugzilla.redhat.com/show_bug.cgi?id=1781958
[ 7 ] Bug #1781127 - CVE-2019-1387 git: remote code execution in recursive clones with
nested submodules
https://bugzilla.redhat.com/show_bug.cgi?id=1781127
[ 8 ] Bug #1781143 - CVE-2019-1349 git: recursive submodule cloning allows using git
directory twice with synonymous directory name written in .git/
https://bugzilla.redhat.com/show_bug.cgi?id=1781143
[ 9 ] Bug #1781953 - CVE-2019-1348 git: Arbitrary path overwriting via export-marks
in-stream command feature
https://bugzilla.redhat.com/show_bug.cgi?id=1781953
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2019-c841bcc3b9' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------