Multiple vulnerabilities in gitweb allow for remote execution of arbitrary commands.
|Package||dev-util/git on all architectures|
|Affected versions||< 188.8.131.52|
|Unaffected versions||>= 184.108.40.206|
GIT - the stupid content tracker, the revision control system used by the Linux kernel team.
Multiple vulnerabilities have been reported in gitweb that is part of the git package:
A remote unauthenticated attacker can execute arbitrary commands via shell metacharacters in a query, remote attackers with write access to a git repository configuration can execute arbitrary commands with the privileges of the user running gitweb by modifying the diff.external configuration variable in the repository and sending a crafted query to gitweb.
There is no known workaround at this time.
All git users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-util/git-220.127.116.11"
March 09, 2009
March 09, 2009: 01