Package "git"

Name: git


fast, scalable, distributed revision control system

Latest version: 1:1.9.1-1ubuntu0.10
Release: trusty (14.04)
Level: security
Repository: main
Homepage: http://git-scm.com/


Save this URL for the latest version of "git": https://www.ubuntuupdates.org/git

Download "git"

Other versions of "git" in Trusty

Repository Area Version
base main 1:1.9.1-1
base universe 1:1.9.1-1
security universe 1:1.9.1-1ubuntu0.10
updates main 1:1.9.1-1ubuntu0.10
updates universe 1:1.9.1-1ubuntu0.10

Packages in group

Deleted packages are displayed in grey.


Version: 1:1.9.1-1ubuntu0.10 2018-11-27 21:07:13 UTC

  git (1:1.9.1-1ubuntu0.10) trusty-security; urgency=medium

  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2017-15298.patch: fix in diff.h,
    - CVE-2017-15298

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 26 Nov 2018 09:50:20 -0300

Source diff to previous version
CVE-2017-15298 Git through 2.14.2 mishandles layers of tree objects, which allows remote attackers to cause a denial of service (memory consumption) via a crafted r

Version: 1:1.9.1-1ubuntu0.9 2018-10-12 02:06:17 UTC

  git (1:1.9.1-1ubuntu0.9) trusty-security; urgency=medium

  * SECURITY UPDATE: arbitrary code execution via submodule URLs and
    paths in .gitsubmodules.
    - 0001-submodule-helper-use-to-signal-end-of-clone-options.patch,
      disallow urls and files that begin with '--'. Thanks to Jonathan
      Nieder for the backported fixes.
    - 0004-fsck-detect-submodule-urls-starting-with-dash.patch,
      reject gitmodules that contain submdule urls and files that begin
      with '--'.
    - CVE-2018-17456
  * SECURITY UPDATE: incomplete fix for CVE-2017-14867
    - 0006-cvsimport-apply-shell-quoting-regex-globally.patch: escape
      all instances of backticks
  * debian/patches/0007-fsck-fix.patch: return correct value on fsck
    error (thanks to Pavel Cahyna for pointing this out).

 -- Steve Beattie <email address hidden> Wed, 10 Oct 2018 11:59:27 -0700

Source diff to previous version
CVE-2018-17456 Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote cod
CVE-2017-14867 Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support sub

Version: 1:1.9.1-1ubuntu0.8 2018-06-05 23:07:16 UTC

  git (1:1.9.1-1ubuntu0.8) trusty-security; urgency=medium

  * SECURITY UPDATE: arbitrary code execution via
    submodule names in .gitsubmodules.
    - 0005-submodule-config-verify-submodule-names-as-paths.patch
    - 0018-fsck-simplify-.git-check.patch
    - 0020-fsck-actually-fsck-blob-data.patch
    - 0025-fsck-detect-gitmodules-files.patch
    - 0026-fsck-check-.gitmodules-content.patch
    - 0027-fsck-call-fsck_finish-after-fscking-objects.patch
    - 0028-unpack-objects-call-fsck_finish-after-fscking-objects.patch
    - 0029-index-pack-check-.gitmodules-files-with-strict.patch
    - CVE-2018-11235 (LP: #1774061)
  * SECURITY UPDATE: out-of-bounds memory access when sanity-checking
    pathnames on NTFS
    - 0006-is_ntfs_dotgit-use-a-size_t-for-traversing-string.patch
    - CVE-2018-11233
  * Do not allow .gitmodules to be a symlink:
  * debian/rules: ensure added tests are executable.
    - 0001-apply-reject-input-that-touches-outside-the-working-a.patch
    - 0002-apply-do-not-read-from-the-filesystem-under-index.patch
    - 0003-apply-do-not-read-from-beyond-a-symbolic-link.patch
    - 0004-apply-do-not-touch-a-file-beyond-a-symbolic-link.patch
    - 0007-is_hfs_dotgit-match-other-.git-files.patch
    - 0008-is_ntfs_dotgit-match-other-.git-files.patch
    - 0009-skip_prefix-add-case-insensitive-variant.patch
    - 0010-verify_path-drop-clever-fallthrough.patch
    - 0011-verify_dotfile-mention-case-insensitivity-in-comment.patch
    - 0012-update-index-stat-updated-files-earlier.patch
    - 0013-verify_path-disallow-symlinks-in-.gitmodules.patch
    - 0014-sha1_file-add-read_loose_object-function.patch
    - 0015-fsck-drop-inode-sorting-code.patch
    - 0016-fsck-parse-loose-object-paths-directly.patch
    - 0017-index-pack-make-fsck-error-message-more-specific.patch
    - 0019-fsck_object-allow-passing-object-data-separately-from.patch
    - 0021-add-a-hashtable-implementation-that-supports-O-1-rem.patch
    - 0022-hashmap.h-use-unsigned-int-for-hash-codes-everywhere.patch
    - 0023-hashmap-factor-out-getting-a-hash-code-from-a-SHA1.patch
    - 0024-hashmap-add-simplified-hashmap_get_from_hash-API.patch
    - 0030-fsck-complain-when-.gitmodules-is-a-symlink.patch
  * move patches from debian/diff to quilt debian/patch/, to avoid
    conflicts and overlooking already added patches
  * Thanks to Jonathan Nieder <email address hidden> of Debian for
    backporting to 2.1.x.

 -- Steve Beattie <email address hidden> Mon, 04 Jun 2018 10:56:07 -0700

Source diff to previous version
1774061 git: CVE-2018-11235 arbitary code execution via submodule names in .gitmodules
CVE-2018-11235 In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. Wi
CVE-2018-11233 In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, code to sanity-check pathnames on N

Version: 1:1.9.1-1ubuntu0.7 2017-10-05 12:06:54 UTC

  git (1:1.9.1-1ubuntu0.7) trusty-security; urgency=high

  * SECURITY UPDATE: Git cvsserver OS Command Injection (LP: #1719740)
    - shell-drop-git-cvsserver-support-by-default.diff
    - cvsserver-use-safe_pipe_capture.diff
    - cvsimport-shell-quote-variable-used-in-backticks.diff
    - archimport-use-safe_pipe_capture-for-user-input.diff
    - CVE-2017-14867

 -- Simon Quigley <email address hidden> Tue, 03 Oct 2017 13:20:58 -0500

Source diff to previous version
1719740 [CVE] Git cvsserver OS Command Injection
CVE-2017-1486 RESERVED

Version: 1:1.9.1-1ubuntu0.6 2017-08-11 04:06:32 UTC

  git (1:1.9.1-1ubuntu0.6) trusty-security; urgency=medium

  * SECURITY UPDATE: Arbitrary code execution on clients through
    malicious ssh URLs.
    - debian/diff/0019-CVE-2017-1000117.patch: filter out hostnames
      that would interpreted as cli arguments to ssh
    - CVE-2017-1000117

 -- Steve Beattie <email address hidden> Thu, 10 Aug 2017 16:36:33 -0700

CVE-2017-1000 RESERVED

About   -   Send Feedback to @ubuntu_updates