Multiple vulnerabilities in gitweb allow for remote execution of arbitrary commands.
|Package||dev-util/git on all architectures|
|Affected versions||< 220.127.116.11|
|Unaffected versions||>= 18.104.22.168|
GIT - the stupid content tracker, the revision control system used by the Linux kernel team.
Multiple vulnerabilities have been reported in gitweb that is part of the git package:
A remote unauthenticated attacker can execute arbitrary commands via shell metacharacters in a query, remote attackers with write access to a git repository configuration can execute arbitrary commands with the privileges of the user running gitweb by modifying the diff.external configuration variable in the repository and sending a crafted query to gitweb.
There is no known workaround at this time.
All git users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-util/git-22.214.171.124"
March 09, 2009
March 09, 2009: 01