Multiple vulnerabilities in gitweb allow for remote execution of arbitrary commands.
Package | dev-util/git on all architectures |
---|---|
Affected versions | < 1.6.0.6 |
Unaffected versions | >= 1.6.0.6 |
GIT - the stupid content tracker, the revision control system used by the Linux kernel team.
Multiple vulnerabilities have been reported in gitweb that is part of the git package:
A remote unauthenticated attacker can execute arbitrary commands via shell metacharacters in a query, remote attackers with write access to a git repository configuration can execute arbitrary commands with the privileges of the user running gitweb by modifying the diff.external configuration variable in the repository and sending a crafted query to gitweb.
There is no known workaround at this time.
All git users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-util/git-1.6.0.6"
Release date
March 09, 2009
Latest revision
March 09, 2009: 01
Severity
high
Exploitable
remote
Bugzilla entries