apticron report [Sat, 06 Oct 2018 22:38:04 +0200] ======================================================================== apticron has detected that some packages need upgrading on: quigon.federez.net [ 160.228.155.65 ] The following packages are currently pending an upgrade: git 1:2.11.0-3+deb9u4 git-man 1:2.11.0-3+deb9u4 gitweb 1:2.11.0-3+deb9u4 ======================================================================== Package Details: apt-listchanges : Lecture des fichiers de modifications (« changelog »)... apt-listchanges : journaux des modifications (« changelogs ») ------------------------------------------------------------- --- Modifications pour git (git git-man gitweb) --- git (1:2.11.0-3+deb9u4) stretch-security; urgency=high * Fix CVE-2018-17456, arbitrary code execution via submodule URLs and paths in .gitmodules file: - submodule: ban submodule urls that start with a dash - submodule: ban submodule paths that start with a dash - submodule: use "--" to signal end of clone options - fsck: detect submodule urls that start with a dash - fsck: detect submodule paths that start with a dash Thanks to joernchen of Phenoelit for discovering and reporting this vulnerability and to Jeff King for fixing it. * Correct incomplete shell command injection fix in git cvsimport in 1:2.11.0-3+deb9u2. A malicious CVS server could trigger arbitrary code execution by a user running "git cvsimport". - cvsimport: apply shell-quoting regex globally Thanks to littlelailo for discovering this vulnerability and to Jeff King for fixing it. -- Jonathan Nieder <jrnieder(a)gmail.com> Thu, 27 Sep 2018 19:35:44 -0700 ======================================================================== You can perform the upgrade by issuing the command: apt-get dist-upgrade as root on quigon.federez.net -- apticron