-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-2114-1 security@debian.org http://www.debian.org/security/ Stefan Fritsch September 26, 2010 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : git-core Vulnerability : buffer overflow Problem type : local Debian-specific: no CVE Id(s) : CVE-2010-2542 Debian bug : 595728 590026 The Debian stable point release 5.0.6 included updated packages of the Git revision control system in order to fix a security issue. Unfortunately, the update introduced a regression which could make it impossible to clone or create git repositories. This upgrade fixes this regression, which is tracked as Debian bug #595728. The original security issue allowed an attacker to execute arbitrary code if he could trick a local user to execute a git command in a crafted working directory (CVE-2010-2542). For the stable distribution (lenny), this problem has been fixed in version 1.5.6.5-3+lenny3.2. The packages for the hppa architecture are not included in this advisory. However, the hppa architecture is not known to be affected by the regression. For the testing distribution (squeeze) and the unstable distribution (sid), the security issue has been fixed in version 1.7.1-1.1. These distributions were not affected by the regression. We recommend that you upgrade your git-core packages. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 (stable) alias lenny - ----------------------------------------- Stable updates are available for alpha, amd64, arm, armel, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2.dsc Size/MD5 checksum: 1332 1ca802be6d1039154fea0f867fc1c3cf http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5.orig.tar.gz Size/MD5 checksum: 2103619 c22da91c913a02305fd8a1a2298f75c9 http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2.diff.gz Size/MD5 checksum: 228860 778ce77061180906a2aae9f22c606e93 Architecture independent packages: http://security.debian.org/pool/updates/main/g/git-core/git-cvs_1.5.6.5-3+lenny3.2_all.deb Size/MD5 checksum: 267472 3c95d2a6bd41b0275c7f8e95ef12efa4 http://security.debian.org/pool/updates/main/g/git-core/git-gui_1.5.6.5-3+lenny3.2_all.deb Size/MD5 checksum: 402182 634c011ec7a8ae782b0bff0be2134078 http://security.debian.org/pool/updates/main/g/git-core/git-arch_1.5.6.5-3+lenny3.2_all.deb Size/MD5 checksum: 231542 a53d6f8319c8dd5182cdc224513d5bfd http://security.debian.org/pool/updates/main/g/git-core/git-daemon-run_1.5.6.5-3+lenny3.2_all.deb Size/MD5 checksum: 218012 3b291893958b61fbe4825e7774ea2e9b http://security.debian.org/pool/updates/main/g/git-core/gitweb_1.5.6.5-3+lenny3.2_all.deb Size/MD5 checksum: 269864 2c9d96e08c55e34a83270cc34ce38463 http://security.debian.org/pool/updates/main/g/git-core/git-svn_1.5.6.5-3+lenny3.2_all.deb Size/MD5 checksum: 268424 ad015248dfc153c22f4a95927c288912 http://security.debian.org/pool/updates/main/g/git-core/git-doc_1.5.6.5-3+lenny3.2_all.deb Size/MD5 checksum: 1249010 a4986335fde6824c01bb1dec115c0314 http://security.debian.org/pool/updates/main/g/git-core/git-email_1.5.6.5-3+lenny3.2_all.deb Size/MD5 checksum: 229804 e81867cadc7426d6361ac1dbbccce1c7 http://security.debian.org/pool/updates/main/g/git-core/gitk_1.5.6.5-3+lenny3.2_all.deb Size/MD5 checksum: 301022 dd567de6cd446f8362127f5f5876dae2 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_alpha.deb Size/MD5 checksum: 3809306 2910ff0e823c7b56eee4ceb51e6be806 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_amd64.deb Size/MD5 checksum: 3419816 ba89829009b57237c5a0630eb01c01c3 arm architecture (ARM) http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_arm.deb Size/MD5 checksum: 3042360 5be0e0673a32062ad9ec56c0feee2a69 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_armel.deb Size/MD5 checksum: 3071030 168f3edcc71842c4a09b5d656a639be0 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_i386.deb Size/MD5 checksum: 3140010 429887ce79db588352636d24bcd42df7 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_ia64.deb Size/MD5 checksum: 4760744 4cd6c9386efdd3d684b616a2928c4fe9 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_mips.deb Size/MD5 checksum: 3417818 376e6c42f288898369b61b4f6203b2ae mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_mipsel.deb Size/MD5 checksum: 3421030 7578fae97f13c3fd21245c9be7e50503 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_powerpc.deb Size/MD5 checksum: 3482142 92729277795f88ca818304bcf3c6fda8 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_s390.deb Size/MD5 checksum: 3422802 05720c1cea472a17406fb2c0a917b4c2 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.2_sparc.deb Size/MD5 checksum: 3077076 7db8d2a588021c019561fe370baf81af These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iD8DBQFMn5cEbxelr8HyTqQRAgoLAKC1M6bR/VNriOulksumyribvvUBNACfZjlF 4kTh06lGitMNsey04BHdLUY= =AofO -----END PGP SIGNATURE-----