"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
Debian Security Advisory DSA-1841-2 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
January 31, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : git-core
Vulnerability : several
Problem type : remote
Debian-specific: no
Debian bug : 532935
CVE ID : CVE-2009-2108
A bug in git-core caused the security update in DSA 1841 to fail to
build on a number of architectures Debian supports. This update corrects
the bug and releases builds for all supported architectures. The original
advisory is quoted in full below for reference.
It was discovered that git-daemon which is part of git-core, a popular
distributed revision control system, is vulnerable to denial of service
attacks caused by a programming mistake in handling requests containing
extra unrecognized arguments which results in an infinite loop. While
this is no problem for the daemon itself as every request will spawn a
new git-daemon instance, this still results in a very high CPU consumption
and might lead to denial of service conditions.
For the oldstable distribution (etch), this problem has been fixed in
version 1.4.4.4-4+etch4.
For the stable distribution (lenny), this problem has been fixed in
version 1.5.6.5-3+lenny3.
For the testing distribution (squeeze), this problem has been fixed in
version 1:1.6.3.3-1.
For the unstable distribution (sid), this problem has been fixed in
version 1:1.6.3.3-1.
We recommend that you upgrade your git-core packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Source archives:
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4.orig.tar.gz
Size/MD5 checksum: 1054130 99bc7ea441226f792b6f796a838e7ef0
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch4.diff.gz
Size/MD5 checksum: 73235 dc66a5a33f4d839abd293af8e9d1c7f0
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch4.dsc
Size/MD5 checksum: 806 4ecf33d79aef69bd3ee67e39bd2e5603
Architecture independent packages:
http://security.debian.org/pool/updates/main/g/git-core/gitk_1.4.4.4-4+etch4_all.deb
Size/MD5 checksum: 99956 bb358ac7ca0a4ff838d3b649fc280ac5
http://security.debian.org/pool/updates/main/g/git-core/git-cvs_1.4.4.4-4+etch4_all.deb
Size/MD5 checksum: 94344 35222422017d16424d60b572d448b2ed
http://security.debian.org/pool/updates/main/g/git-core/git-svn_1.4.4.4-4+etch4_all.deb
Size/MD5 checksum: 101186 e50e5c5b047fd40306ec79177fb1e27b
http://security.debian.org/pool/updates/main/g/git-core/git-email_1.4.4.4-4+etch4_all.deb
Size/MD5 checksum: 63440 1ce3e8f130c61118e15f50fbea98f745
http://security.debian.org/pool/updates/main/g/git-core/git-arch_1.4.4.4-4+etch4_all.deb
Size/MD5 checksum: 69120 555d3f7a0f717f022b837ec218840b5b
http://security.debian.org/pool/updates/main/g/git-core/gitweb_1.4.4.4-4+etch4_all.deb
Size/MD5 checksum: 88662 089131cbe345889f72b524e8d0c657ed
http://security.debian.org/pool/updates/main/g/git-core/git-daemon-run_1.4.4.4-4+etch4_all.deb
Size/MD5 checksum: 55972 d06f9e25da08588e38b2c0a6fa346c4a
http://security.debian.org/pool/updates/main/g/git-core/git-doc_1.4.4.4-4+etch4_all.deb
Size/MD5 checksum: 466846 3bef63b0904636416641058a04814b10
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch4_alpha.deb
Size/MD5 checksum: 3088230 4515c64cfea5951473db08b8cc3435d3
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch4_amd64.deb
Size/MD5 checksum: 2632004 b044de6564162f32353d84343e1e41ae
arm architecture (ARM)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch4_arm.deb
Size/MD5 checksum: 2320858 3ed0f7b8c366351121fc9534df90d328
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch4_hppa.deb
Size/MD5 checksum: 2694200 17f793cb6d02e633053f18d820ed63b1
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch4_i386.deb
Size/MD5 checksum: 2349876 2c0d7e7f67af0f3d956626e4bf9c61a6
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch4_ia64.deb
Size/MD5 checksum: 3815920 54305a771f4728607741fc91825abd60
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch4_mips.deb
Size/MD5 checksum: 2769740 ff6077a27445fa6be6dc6df8d7a412ae
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch4_mipsel.deb
Size/MD5 checksum: 2801552 d4a45ed2e6e0907d4a9b176ca9943e1d
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch4_powerpc.deb
Size/MD5 checksum: 2639258 1626503d70b23864cc452876643b4b77
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch4_s390.deb
Size/MD5 checksum: 2628348 7c6ba1577e3019fb36b9cd1e3b1ad9e0
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch4_sparc.deb
Size/MD5 checksum: 2298750 ae0ebfaeceba12e48b1240f0e6cf2a14
Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.dsc
Size/MD5 checksum: 1332 f4dfc057bd2a48ba453816e04f34b7df
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5.orig.tar.gz
Size/MD5 checksum: 2103619 c22da91c913a02305fd8a1a2298f75c9
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3.diff.gz
Size/MD5 checksum: 228640 87e8934e0efe7f374b21e0f8fb15474f
Architecture independent packages:
http://security.debian.org/pool/updates/main/g/git-core/gitweb_1.5.6.5-3+lenny3_all.deb
Size/MD5 checksum: 268052 976f1bdd1a003aa01360235d506a68b6
http://security.debian.org/pool/updates/main/g/git-core/git-daemon-run_1.5.6.5-3+lenny3_all.deb
Size/MD5 checksum: 217816 a0719a52047880856fc560fbdd54311e
http://security.debian.org/pool/updates/main/g/git-core/git-arch_1.5.6.5-3+lenny3_all.deb
Size/MD5 checksum: 231042 a313316163e3db501357d834a1db7b90
http://security.debian.org/pool/updates/main/g/git-core/git-cvs_1.5.6.5-3+lenny3_all.deb
Size/MD5 checksum: 267244 0b91300ac7fee3068cd7767f8998a6a6
http://security.debian.org/pool/updates/main/g/git-core/gitk_1.5.6.5-3+lenny3_all.deb
Size/MD5 checksum: 298644 843b4c601e157df5f1ea559fe22e7a72
http://security.debian.org/pool/updates/main/g/git-core/git-gui_1.5.6.5-3+lenny3_all.deb
Size/MD5 checksum: 401594 d6737e683c17e09a3ecf7e9149af5de4
http://security.debian.org/pool/updates/main/g/git-core/git-svn_1.5.6.5-3+lenny3_all.deb
Size/MD5 checksum: 268286 1582d20b0024de9879e3f289129106d8
http://security.debian.org/pool/updates/main/g/git-core/git-doc_1.5.6.5-3+lenny3_all.deb
Size/MD5 checksum: 1076836 1ec7e1d1d2539ed4277c35bef096ae8b
http://security.debian.org/pool/updates/main/g/git-core/git-email_1.5.6.5-3+lenny3_all.deb
Size/MD5 checksum: 229326 aaf22d02fe5ac00a424be096dd8c1f80
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3_alpha.deb
Size/MD5 checksum: 3808760 24030074496a4a25e448baf21aae4450
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3_amd64.deb
Size/MD5 checksum: 3419522 190a16cd10d5591706e79d15831d6bfa
arm architecture (ARM)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3_arm.deb
Size/MD5 checksum: 3045458 8bebf2cf789fcba33a1d0dfc8d259f6b
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3_armel.deb
Size/MD5 checksum: 3068324 11e7a4ad3c4cd6c91b58d79536fdc282
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3_hppa.deb
Size/MD5 checksum: 3162798 fb850a0f8b458cc8ef68b7a98c25d269
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3_i386.deb
Size/MD5 checksum: 3139856 a19a17b97f8028298fe0bf0cc77fa139
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3_ia64.deb
Size/MD5 checksum: 4759214 30d6cc0cd9c19adc03e84ea6f4e0fa1d
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3_mips.deb
Size/MD5 checksum: 3409214 7a4aa4251c5e8b9ece35b76fec637e68
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3_mipsel.deb
Size/MD5 checksum: 3420712 1218f69d04d4b19bd06dbc8878aef769
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3_powerpc.deb
Size/MD5 checksum: 3473328 4fadd92d0f8554f29acb67e641cd355a
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3_s390.deb
Size/MD5 checksum: 3411332 0daeff8bd1b44a86c16d46572d51a43f
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.5.6.5-3+lenny3_sparc.deb
Size/MD5 checksum: 3069038 3ba2810657f07949ac284274f1356973
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJLZYYzAAoJECIIoQCMVaAcd3sH/0Rcb0NuNO+1S3qGePhBSdDw
NDqdhvbiwEBfT6coV5K18XUMhvyjglFmkP370C1YW8s6oxJBUpQhCPGbPwRLfAS0
tZKFim6KtmvLe4CDLxyDeOnfxwoLpLLF1VgSoVEqp1//2ApFSFqd6olNzJ0kW2Oi
Yd3206z3P4/DhFqxLkUfjQsGAxuN0vSGRCCgd1DbUSP7rzuHZzOzjscRyVx7064a
nbXspHd6ApaLYKCkTrT7t2XdjFvvYQmF8XY9HxvADK4N+nFm1j/DAd9DAX7ckgg0
6CmgRKxo5gruGqkYg79Bekrr5cN7GVh6TGYZVFr3dzQ/WGHFk0CAaO3Twyn42Io=
=z1sV
-----END PGP SIGNATURE-----
"
Victoria fumes as David Beckham has his balls grabbedDSA 1982-1: New hybserv packages fix denial of service
This entry was posted
on 9:22 AM
.
Archives
-
▼
2010
(391)
-
▼
February
(42)
- USN-905-1: sudo vulnerabilities
- RHSA-2010:0115-01 Moderate: pidgin security update
- RHSA-2010:0122-01 Important: sudo security update
- USN-904-1: Squid vulnerability
- DSA 2003-1: New Linux 2.6.18 packages fix several ...
- DSA-2002-1: New polipo packages fix denial of service
- RHSA-2010:0114-01 Critical: acroread security and ...
- USN-902-1: Pidgin vulnerabilities
- DSA 1999-1: New xulrunner packages fix several vul...
- USN-895-1: Firefox 3.0 and Xulrunner 1.9 vulnerabi...
- USN-890-5: XML-RPC for C and C++ vulnerabilities
- DSA 2000-1: New ffmpeg packages fix several vulner...
- RHSA-2010:0110-01 Moderate: mysql security update
- RHSA-2010:0115-01 Moderate: pidgin security update
- USN-896-1: Firefox 3.5 and Xulrunner 1.9.1 vulnera...
- RHSA-2010:0112-01 Critical: firefox security update
- RHSA-2010:0113-01 Critical: seamonkey security update
- DSA 1998-1: New kdelibs packages fix arbitrary cod...
- RHSA-2010:0108-01 Moderate: NetworkManager securit...
- USN-900-1: Ruby vulnerabilities
- USN-898-1: gnome-screensaver vulnerability
- RHSA-2010:0103-01 Important: flash-plugin security...
- DSA-1997-1: New mysql-dfsg-5.0 packages fix severa...
- DSA 1994-1: New ajaxterm packages fix session hija...
- RHSA-2010:0102-01 Important: flash-plugin security...
- USN-897-1: MySQL vulnerabilities
- USN-899-1: Tomcat vulnerabilities
- DSA 1992-1: New chrony packages fix denial of service
- DSA 1993-1: New otrs2 packages fix SQL injection
- RHSA-2010:0094-02 Critical: HelixPlayer security u...
- RHSA-2010:0079-01 Important: kernel security and b...
- DSA 1986-1: New moodle packages fix several vulner...
- DSA 1991-1: New squid/squid3 packages fix denial o...
- RHSA-2010:0088-02 Important: kvm security and bug ...
- DSA-1989-1: New fuse packages fix denial of service
- DSA 1841-2: New git-core packages fix build failure
- DSA 1987-1: New lighttpd packages fix denial of se...
- DSA 1983-1: New Wireshark packages fix several vul...
- DSA-1990-2: New trac-git package fixes regression
- DSA-1990-1: New trac-git packages fix code execution
- DSA 1982-1: New hybserv packages fix denial of ser...
- DSA 1968-2: New pdns-recursor packages fix cache p...
-
▼
February
(42)