Changelog
git (1:2.11.0-3+deb9u5) stretch-security; urgency=high
* Apply patches addressing the security issues CVE-2019-1348,
CVE-2019-1349, CVE-2019-1352, CVE-2019-1353, and CVE-2019-1387.
Credit for finding these vulnerabilities goes to Microsoft
Security Response Center, in particular to Nicolas Joly. Fixes
were provided by Jeff King and Johannes Schindelin with help
from Garima Singh.
* Reject setting "update = !command" in .gitmodules. This makes
the behavior better match Git 2.24.1 which made the same change
to address the arbitrary code execution issue CVE-2019-19604
(which does not affect Git versions before 2.20.0).
Also reject "update = !command" in fsck. This ensures that if
Git is run as a server with "transfer.fsckObjects" enabled,
it cannot be used to attack clients vulnerable to
CVE-2019-19604.
Credit for finding this vulnerability goes to Joern
Schneeweisz from GitLab.
-- Jonathan Nieder <email address hidden> Tue, 10 Dec 2019 08:14:58 +0000
