git-2.33.0-1.3 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10786-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z git-2.33.0-1.3 on GA media These are all security issues fixed in the git-2.33.0-1.3 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10786 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2005-4900/ SUSE CVE CVE-2005-4900 page https://www.suse.com/security/cve/CVE-2017-1000117/ SUSE CVE CVE-2017-1000117 page https://www.suse.com/security/cve/CVE-2017-14867/ SUSE CVE CVE-2017-14867 page https://www.suse.com/security/cve/CVE-2017-15298/ SUSE CVE CVE-2017-15298 page https://www.suse.com/security/cve/CVE-2017-8386/ SUSE CVE CVE-2017-8386 page https://www.suse.com/security/cve/CVE-2018-11233/ SUSE CVE CVE-2018-11233 page https://www.suse.com/security/cve/CVE-2018-11235/ SUSE CVE CVE-2018-11235 page https://www.suse.com/security/cve/CVE-2018-17456/ SUSE CVE CVE-2018-17456 page https://www.suse.com/security/cve/CVE-2018-19486/ SUSE CVE CVE-2018-19486 page https://www.suse.com/security/cve/CVE-2019-1348/ SUSE CVE CVE-2019-1348 page https://www.suse.com/security/cve/CVE-2019-1349/ SUSE CVE CVE-2019-1349 page https://www.suse.com/security/cve/CVE-2019-1350/ SUSE CVE CVE-2019-1350 page https://www.suse.com/security/cve/CVE-2019-1351/ SUSE CVE CVE-2019-1351 page https://www.suse.com/security/cve/CVE-2019-1352/ SUSE CVE CVE-2019-1352 page https://www.suse.com/security/cve/CVE-2019-1353/ SUSE CVE CVE-2019-1353 page https://www.suse.com/security/cve/CVE-2019-1354/ SUSE CVE CVE-2019-1354 page https://www.suse.com/security/cve/CVE-2019-1387/ SUSE CVE CVE-2019-1387 page https://www.suse.com/security/cve/CVE-2019-19604/ SUSE CVE CVE-2019-19604 page https://www.suse.com/security/cve/CVE-2020-11008/ SUSE CVE CVE-2020-11008 page https://www.suse.com/security/cve/CVE-2020-5260/ SUSE CVE CVE-2020-5260 page https://www.suse.com/security/cve/CVE-2021-21300/ SUSE CVE CVE-2021-21300 page openSUSE Tumbleweed git-2.33.0-1.3 git-arch-2.33.0-1.3 git-core-2.33.0-1.3 git-credential-gnome-keyring-2.33.0-1.3 git-credential-libsecret-2.33.0-1.3 git-cvs-2.33.0-1.3 git-daemon-2.33.0-1.3 git-doc-2.33.0-1.3 git-email-2.33.0-1.3 git-gui-2.33.0-1.3 git-p4-2.33.0-1.3 git-svn-2.33.0-1.3 git-web-2.33.0-1.3 gitk-2.33.0-1.3 perl-Git-2.33.0-1.3 git-2.33.0-1.3 as a component of openSUSE Tumbleweed git-arch-2.33.0-1.3 as a component of openSUSE Tumbleweed git-core-2.33.0-1.3 as a component of openSUSE Tumbleweed git-credential-gnome-keyring-2.33.0-1.3 as a component of openSUSE Tumbleweed git-credential-libsecret-2.33.0-1.3 as a component of openSUSE Tumbleweed git-cvs-2.33.0-1.3 as a component of openSUSE Tumbleweed git-daemon-2.33.0-1.3 as a component of openSUSE Tumbleweed git-doc-2.33.0-1.3 as a component of openSUSE Tumbleweed git-email-2.33.0-1.3 as a component of openSUSE Tumbleweed git-gui-2.33.0-1.3 as a component of openSUSE Tumbleweed git-p4-2.33.0-1.3 as a component of openSUSE Tumbleweed git-svn-2.33.0-1.3 as a component of openSUSE Tumbleweed git-web-2.33.0-1.3 as a component of openSUSE Tumbleweed gitk-2.33.0-1.3 as a component of openSUSE Tumbleweed perl-Git-2.33.0-1.3 as a component of openSUSE Tumbleweed SHA-1 is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of SHA-1 in TLS 1.2. NOTE: this CVE exists to provide a common identifier for referencing this SHA-1 issue; the existence of an identifier is not, by itself, a technology recommendation. CVE-2005-4900 openSUSE Tumbleweed:git-2.33.0-1.3 openSUSE Tumbleweed:git-arch-2.33.0-1.3 openSUSE Tumbleweed:git-core-2.33.0-1.3 openSUSE Tumbleweed:git-credential-gnome-keyring-2.33.0-1.3 openSUSE Tumbleweed:git-credential-libsecret-2.33.0-1.3 openSUSE Tumbleweed:git-cvs-2.33.0-1.3 openSUSE Tumbleweed:git-daemon-2.33.0-1.3 openSUSE Tumbleweed:git-doc-2.33.0-1.3 openSUSE Tumbleweed:git-email-2.33.0-1.3 openSUSE Tumbleweed:git-gui-2.33.0-1.3 openSUSE Tumbleweed:git-p4-2.33.0-1.3 openSUSE Tumbleweed:git-svn-2.33.0-1.3 openSUSE Tumbleweed:git-web-2.33.0-1.3 openSUSE Tumbleweed:gitk-2.33.0-1.3 openSUSE Tumbleweed:perl-Git-2.33.0-1.3 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2005-4900.html CVE-2005-4900 https://bugzilla.suse.com/1026646 SUSE Bug 1026646 https://bugzilla.suse.com/1026936 SUSE Bug 1026936 https://bugzilla.suse.com/1042640 SUSE Bug 1042640 https://bugzilla.suse.com/1150998 SUSE Bug 1150998 A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the vulnerability. CVE-2017-1000117 openSUSE Tumbleweed:git-2.33.0-1.3 openSUSE Tumbleweed:git-arch-2.33.0-1.3 openSUSE Tumbleweed:git-core-2.33.0-1.3 openSUSE Tumbleweed:git-credential-gnome-keyring-2.33.0-1.3 openSUSE Tumbleweed:git-credential-libsecret-2.33.0-1.3 openSUSE Tumbleweed:git-cvs-2.33.0-1.3 openSUSE Tumbleweed:git-daemon-2.33.0-1.3 openSUSE Tumbleweed:git-doc-2.33.0-1.3 openSUSE Tumbleweed:git-email-2.33.0-1.3 openSUSE Tumbleweed:git-gui-2.33.0-1.3 openSUSE Tumbleweed:git-p4-2.33.0-1.3 openSUSE Tumbleweed:git-svn-2.33.0-1.3 openSUSE Tumbleweed:git-web-2.33.0-1.3 openSUSE Tumbleweed:gitk-2.33.0-1.3 openSUSE Tumbleweed:perl-Git-2.33.0-1.3 important 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-1000117.html CVE-2017-1000117 https://bugzilla.suse.com/1052481 SUSE Bug 1052481 https://bugzilla.suse.com/1052696 SUSE Bug 1052696 https://bugzilla.suse.com/1052932 SUSE Bug 1052932 https://bugzilla.suse.com/1053364 SUSE Bug 1053364 https://bugzilla.suse.com/1053600 SUSE Bug 1053600 https://bugzilla.suse.com/1053919 SUSE Bug 1053919 https://bugzilla.suse.com/1054653 SUSE Bug 1054653 https://bugzilla.suse.com/1058214 SUSE Bug 1058214 https://bugzilla.suse.com/1066430 SUSE Bug 1066430 https://bugzilla.suse.com/1071709 SUSE Bug 1071709 Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support. CVE-2017-14867 openSUSE Tumbleweed:git-2.33.0-1.3 openSUSE Tumbleweed:git-arch-2.33.0-1.3 openSUSE Tumbleweed:git-core-2.33.0-1.3 openSUSE Tumbleweed:git-credential-gnome-keyring-2.33.0-1.3 openSUSE Tumbleweed:git-credential-libsecret-2.33.0-1.3 openSUSE Tumbleweed:git-cvs-2.33.0-1.3 openSUSE Tumbleweed:git-daemon-2.33.0-1.3 openSUSE Tumbleweed:git-doc-2.33.0-1.3 openSUSE Tumbleweed:git-email-2.33.0-1.3 openSUSE Tumbleweed:git-gui-2.33.0-1.3 openSUSE Tumbleweed:git-p4-2.33.0-1.3 openSUSE Tumbleweed:git-svn-2.33.0-1.3 openSUSE Tumbleweed:git-web-2.33.0-1.3 openSUSE Tumbleweed:gitk-2.33.0-1.3 openSUSE Tumbleweed:perl-Git-2.33.0-1.3 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C 9 AV:N/AC:L/Au:S/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-14867.html CVE-2017-14867 https://bugzilla.suse.com/1060377 SUSE Bug 1060377 https://bugzilla.suse.com/1060378 SUSE Bug 1060378 https://bugzilla.suse.com/1061041 SUSE Bug 1061041 Git through 2.14.2 mishandles layers of tree objects, which allows remote attackers to cause a denial of service (memory consumption) via a crafted repository, aka a Git bomb. This can also have an impact of disk consumption; however, an affected process typically would not survive its attempt to build the data structure in memory before writing to disk. CVE-2017-15298 openSUSE Tumbleweed:git-2.33.0-1.3 openSUSE Tumbleweed:git-arch-2.33.0-1.3 openSUSE Tumbleweed:git-core-2.33.0-1.3 openSUSE Tumbleweed:git-credential-gnome-keyring-2.33.0-1.3 openSUSE Tumbleweed:git-credential-libsecret-2.33.0-1.3 openSUSE Tumbleweed:git-cvs-2.33.0-1.3 openSUSE Tumbleweed:git-daemon-2.33.0-1.3 openSUSE Tumbleweed:git-doc-2.33.0-1.3 openSUSE Tumbleweed:git-email-2.33.0-1.3 openSUSE Tumbleweed:git-gui-2.33.0-1.3 openSUSE Tumbleweed:git-p4-2.33.0-1.3 openSUSE Tumbleweed:git-svn-2.33.0-1.3 openSUSE Tumbleweed:git-web-2.33.0-1.3 openSUSE Tumbleweed:gitk-2.33.0-1.3 openSUSE Tumbleweed:perl-Git-2.33.0-1.3 moderate 2.6 AV:N/AC:H/Au:N/C:N/I:N/A:P 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-15298.html CVE-2017-15298 https://bugzilla.suse.com/1063412 SUSE Bug 1063412 git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7, 2.7.x before 2.7.5, 2.8.x before 2.8.5, 2.9.x before 2.9.4, 2.10.x before 2.10.3, 2.11.x before 2.11.2, and 2.12.x before 2.12.3 might allow remote authenticated users to gain privileges via a repository name that starts with a - (dash) character. CVE-2017-8386 openSUSE Tumbleweed:git-2.33.0-1.3 openSUSE Tumbleweed:git-arch-2.33.0-1.3 openSUSE Tumbleweed:git-core-2.33.0-1.3 openSUSE Tumbleweed:git-credential-gnome-keyring-2.33.0-1.3 openSUSE Tumbleweed:git-credential-libsecret-2.33.0-1.3 openSUSE Tumbleweed:git-cvs-2.33.0-1.3 openSUSE Tumbleweed:git-daemon-2.33.0-1.3 openSUSE Tumbleweed:git-doc-2.33.0-1.3 openSUSE Tumbleweed:git-email-2.33.0-1.3 openSUSE Tumbleweed:git-gui-2.33.0-1.3 openSUSE Tumbleweed:git-p4-2.33.0-1.3 openSUSE Tumbleweed:git-svn-2.33.0-1.3 openSUSE Tumbleweed:git-web-2.33.0-1.3 openSUSE Tumbleweed:gitk-2.33.0-1.3 openSUSE Tumbleweed:perl-Git-2.33.0-1.3 moderate 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-8386.html CVE-2017-8386 https://bugzilla.suse.com/1038395 SUSE Bug 1038395 In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory. CVE-2018-11233 openSUSE Tumbleweed:git-2.33.0-1.3 openSUSE Tumbleweed:git-arch-2.33.0-1.3 openSUSE Tumbleweed:git-core-2.33.0-1.3 openSUSE Tumbleweed:git-credential-gnome-keyring-2.33.0-1.3 openSUSE Tumbleweed:git-credential-libsecret-2.33.0-1.3 openSUSE Tumbleweed:git-cvs-2.33.0-1.3 openSUSE Tumbleweed:git-daemon-2.33.0-1.3 openSUSE Tumbleweed:git-doc-2.33.0-1.3 openSUSE Tumbleweed:git-email-2.33.0-1.3 openSUSE Tumbleweed:git-gui-2.33.0-1.3 openSUSE Tumbleweed:git-p4-2.33.0-1.3 openSUSE Tumbleweed:git-svn-2.33.0-1.3 openSUSE Tumbleweed:git-web-2.33.0-1.3 openSUSE Tumbleweed:gitk-2.33.0-1.3 openSUSE Tumbleweed:perl-Git-2.33.0-1.3 important 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-11233.html CVE-2018-11233 https://bugzilla.suse.com/1095218 SUSE Bug 1095218 In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because submodule "names" are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with "../" in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server. CVE-2018-11235 openSUSE Tumbleweed:git-2.33.0-1.3 openSUSE Tumbleweed:git-arch-2.33.0-1.3 openSUSE Tumbleweed:git-core-2.33.0-1.3 openSUSE Tumbleweed:git-credential-gnome-keyring-2.33.0-1.3 openSUSE Tumbleweed:git-credential-libsecret-2.33.0-1.3 openSUSE Tumbleweed:git-cvs-2.33.0-1.3 openSUSE Tumbleweed:git-daemon-2.33.0-1.3 openSUSE Tumbleweed:git-doc-2.33.0-1.3 openSUSE Tumbleweed:git-email-2.33.0-1.3 openSUSE Tumbleweed:git-gui-2.33.0-1.3 openSUSE Tumbleweed:git-p4-2.33.0-1.3 openSUSE Tumbleweed:git-svn-2.33.0-1.3 openSUSE Tumbleweed:git-web-2.33.0-1.3 openSUSE Tumbleweed:gitk-2.33.0-1.3 openSUSE Tumbleweed:perl-Git-2.33.0-1.3 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-11235.html CVE-2018-11235 https://bugzilla.suse.com/1095219 SUSE Bug 1095219 Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character. CVE-2018-17456 openSUSE Tumbleweed:git-2.33.0-1.3 openSUSE Tumbleweed:git-arch-2.33.0-1.3 openSUSE Tumbleweed:git-core-2.33.0-1.3 openSUSE Tumbleweed:git-credential-gnome-keyring-2.33.0-1.3 openSUSE Tumbleweed:git-credential-libsecret-2.33.0-1.3 openSUSE Tumbleweed:git-cvs-2.33.0-1.3 openSUSE Tumbleweed:git-daemon-2.33.0-1.3 openSUSE Tumbleweed:git-doc-2.33.0-1.3 openSUSE Tumbleweed:git-email-2.33.0-1.3 openSUSE Tumbleweed:git-gui-2.33.0-1.3 openSUSE Tumbleweed:git-p4-2.33.0-1.3 openSUSE Tumbleweed:git-svn-2.33.0-1.3 openSUSE Tumbleweed:git-web-2.33.0-1.3 openSUSE Tumbleweed:gitk-2.33.0-1.3 openSUSE Tumbleweed:perl-Git-2.33.0-1.3 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-17456.html CVE-2018-17456 https://bugzilla.suse.com/1110949 SUSE Bug 1110949 Git before 2.19.2 on Linux and UNIX executes commands from the current working directory (as if '.' were at the end of $PATH) in certain cases involving the run_command() API and run-command.c, because there was a dangerous change from execvp to execv during 2017. CVE-2018-19486 openSUSE Tumbleweed:git-2.33.0-1.3 openSUSE Tumbleweed:git-arch-2.33.0-1.3 openSUSE Tumbleweed:git-core-2.33.0-1.3 openSUSE Tumbleweed:git-credential-gnome-keyring-2.33.0-1.3 openSUSE Tumbleweed:git-credential-libsecret-2.33.0-1.3 openSUSE Tumbleweed:git-cvs-2.33.0-1.3 openSUSE Tumbleweed:git-daemon-2.33.0-1.3 openSUSE Tumbleweed:git-doc-2.33.0-1.3 openSUSE Tumbleweed:git-email-2.33.0-1.3 openSUSE Tumbleweed:git-gui-2.33.0-1.3 openSUSE Tumbleweed:git-p4-2.33.0-1.3 openSUSE Tumbleweed:git-svn-2.33.0-1.3 openSUSE Tumbleweed:git-web-2.33.0-1.3 openSUSE Tumbleweed:gitk-2.33.0-1.3 openSUSE Tumbleweed:perl-Git-2.33.0-1.3 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-19486.html CVE-2018-19486 https://bugzilla.suse.com/1117257 SUSE Bug 1117257 An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. The --export-marks option of git fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths. CVE-2019-1348 openSUSE Tumbleweed:git-2.33.0-1.3 openSUSE Tumbleweed:git-arch-2.33.0-1.3 openSUSE Tumbleweed:git-core-2.33.0-1.3 openSUSE Tumbleweed:git-credential-gnome-keyring-2.33.0-1.3 openSUSE Tumbleweed:git-credential-libsecret-2.33.0-1.3 openSUSE Tumbleweed:git-cvs-2.33.0-1.3 openSUSE Tumbleweed:git-daemon-2.33.0-1.3 openSUSE Tumbleweed:git-doc-2.33.0-1.3 openSUSE Tumbleweed:git-email-2.33.0-1.3 openSUSE Tumbleweed:git-gui-2.33.0-1.3 openSUSE Tumbleweed:git-p4-2.33.0-1.3 openSUSE Tumbleweed:git-svn-2.33.0-1.3 openSUSE Tumbleweed:git-web-2.33.0-1.3 openSUSE Tumbleweed:gitk-2.33.0-1.3 openSUSE Tumbleweed:perl-Git-2.33.0-1.3 low 3.6 AV:L/AC:L/Au:N/C:N/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-1348.html CVE-2019-1348 https://bugzilla.suse.com/1158785 SUSE Bug 1158785 A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1350, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387. CVE-2019-1349 openSUSE Tumbleweed:git-2.33.0-1.3 openSUSE Tumbleweed:git-arch-2.33.0-1.3 openSUSE Tumbleweed:git-core-2.33.0-1.3 openSUSE Tumbleweed:git-credential-gnome-keyring-2.33.0-1.3 openSUSE Tumbleweed:git-credential-libsecret-2.33.0-1.3 openSUSE Tumbleweed:git-cvs-2.33.0-1.3 openSUSE Tumbleweed:git-daemon-2.33.0-1.3 openSUSE Tumbleweed:git-doc-2.33.0-1.3 openSUSE Tumbleweed:git-email-2.33.0-1.3 openSUSE Tumbleweed:git-gui-2.33.0-1.3 openSUSE Tumbleweed:git-p4-2.33.0-1.3 openSUSE Tumbleweed:git-svn-2.33.0-1.3 openSUSE Tumbleweed:git-web-2.33.0-1.3 openSUSE Tumbleweed:gitk-2.33.0-1.3 openSUSE Tumbleweed:perl-Git-2.33.0-1.3 critical 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-1349.html CVE-2019-1349 https://bugzilla.suse.com/1158785 SUSE Bug 1158785 https://bugzilla.suse.com/1158787 SUSE Bug 1158787 A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1349, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387. CVE-2019-1350 openSUSE Tumbleweed:git-2.33.0-1.3 openSUSE Tumbleweed:git-arch-2.33.0-1.3 openSUSE Tumbleweed:git-core-2.33.0-1.3 openSUSE Tumbleweed:git-credential-gnome-keyring-2.33.0-1.3 openSUSE Tumbleweed:git-credential-libsecret-2.33.0-1.3 openSUSE Tumbleweed:git-cvs-2.33.0-1.3 openSUSE Tumbleweed:git-daemon-2.33.0-1.3 openSUSE Tumbleweed:git-doc-2.33.0-1.3 openSUSE Tumbleweed:git-email-2.33.0-1.3 openSUSE Tumbleweed:git-gui-2.33.0-1.3 openSUSE Tumbleweed:git-p4-2.33.0-1.3 openSUSE Tumbleweed:git-svn-2.33.0-1.3 openSUSE Tumbleweed:git-web-2.33.0-1.3 openSUSE Tumbleweed:gitk-2.33.0-1.3 openSUSE Tumbleweed:perl-Git-2.33.0-1.3 critical 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-1350.html CVE-2019-1350 https://bugzilla.suse.com/1158785 SUSE Bug 1158785 https://bugzilla.suse.com/1158788 SUSE Bug 1158788 A tampering vulnerability exists when Git for Visual Studio improperly handles virtual drive paths, aka 'Git for Visual Studio Tampering Vulnerability'. CVE-2019-1351 openSUSE Tumbleweed:git-2.33.0-1.3 openSUSE Tumbleweed:git-arch-2.33.0-1.3 openSUSE Tumbleweed:git-core-2.33.0-1.3 openSUSE Tumbleweed:git-credential-gnome-keyring-2.33.0-1.3 openSUSE Tumbleweed:git-credential-libsecret-2.33.0-1.3 openSUSE Tumbleweed:git-cvs-2.33.0-1.3 openSUSE Tumbleweed:git-daemon-2.33.0-1.3 openSUSE Tumbleweed:git-doc-2.33.0-1.3 openSUSE Tumbleweed:git-email-2.33.0-1.3 openSUSE Tumbleweed:git-gui-2.33.0-1.3 openSUSE Tumbleweed:git-p4-2.33.0-1.3 openSUSE Tumbleweed:git-svn-2.33.0-1.3 openSUSE Tumbleweed:git-web-2.33.0-1.3 openSUSE Tumbleweed:gitk-2.33.0-1.3 openSUSE Tumbleweed:perl-Git-2.33.0-1.3 important 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-1351.html CVE-2019-1351 https://bugzilla.suse.com/1158785 SUSE Bug 1158785 https://bugzilla.suse.com/1158789 SUSE Bug 1158789 A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1349, CVE-2019-1350, CVE-2019-1354, CVE-2019-1387. CVE-2019-1352 openSUSE Tumbleweed:git-2.33.0-1.3 openSUSE Tumbleweed:git-arch-2.33.0-1.3 openSUSE Tumbleweed:git-core-2.33.0-1.3 openSUSE Tumbleweed:git-credential-gnome-keyring-2.33.0-1.3 openSUSE Tumbleweed:git-credential-libsecret-2.33.0-1.3 openSUSE Tumbleweed:git-cvs-2.33.0-1.3 openSUSE Tumbleweed:git-daemon-2.33.0-1.3 openSUSE Tumbleweed:git-doc-2.33.0-1.3 openSUSE Tumbleweed:git-email-2.33.0-1.3 openSUSE Tumbleweed:git-gui-2.33.0-1.3 openSUSE Tumbleweed:git-p4-2.33.0-1.3 openSUSE Tumbleweed:git-svn-2.33.0-1.3 openSUSE Tumbleweed:git-web-2.33.0-1.3 openSUSE Tumbleweed:gitk-2.33.0-1.3 openSUSE Tumbleweed:perl-Git-2.33.0-1.3 critical 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-1352.html CVE-2019-1352 https://bugzilla.suse.com/1158785 SUSE Bug 1158785 https://bugzilla.suse.com/1158787 SUSE Bug 1158787 https://bugzilla.suse.com/1158790 SUSE Bug 1158790 An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as "WSL") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active. CVE-2019-1353 openSUSE Tumbleweed:git-2.33.0-1.3 openSUSE Tumbleweed:git-arch-2.33.0-1.3 openSUSE Tumbleweed:git-core-2.33.0-1.3 openSUSE Tumbleweed:git-credential-gnome-keyring-2.33.0-1.3 openSUSE Tumbleweed:git-credential-libsecret-2.33.0-1.3 openSUSE Tumbleweed:git-cvs-2.33.0-1.3 openSUSE Tumbleweed:git-daemon-2.33.0-1.3 openSUSE Tumbleweed:git-doc-2.33.0-1.3 openSUSE Tumbleweed:git-email-2.33.0-1.3 openSUSE Tumbleweed:git-gui-2.33.0-1.3 openSUSE Tumbleweed:git-p4-2.33.0-1.3 openSUSE Tumbleweed:git-svn-2.33.0-1.3 openSUSE Tumbleweed:git-web-2.33.0-1.3 openSUSE Tumbleweed:gitk-2.33.0-1.3 openSUSE Tumbleweed:perl-Git-2.33.0-1.3 critical 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-1353.html CVE-2019-1353 https://bugzilla.suse.com/1158785 SUSE Bug 1158785 https://bugzilla.suse.com/1158791 SUSE Bug 1158791 A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1349, CVE-2019-1350, CVE-2019-1352, CVE-2019-1387. CVE-2019-1354 openSUSE Tumbleweed:git-2.33.0-1.3 openSUSE Tumbleweed:git-arch-2.33.0-1.3 openSUSE Tumbleweed:git-core-2.33.0-1.3 openSUSE Tumbleweed:git-credential-gnome-keyring-2.33.0-1.3 openSUSE Tumbleweed:git-credential-libsecret-2.33.0-1.3 openSUSE Tumbleweed:git-cvs-2.33.0-1.3 openSUSE Tumbleweed:git-daemon-2.33.0-1.3 openSUSE Tumbleweed:git-doc-2.33.0-1.3 openSUSE Tumbleweed:git-email-2.33.0-1.3 openSUSE Tumbleweed:git-gui-2.33.0-1.3 openSUSE Tumbleweed:git-p4-2.33.0-1.3 openSUSE Tumbleweed:git-svn-2.33.0-1.3 openSUSE Tumbleweed:git-web-2.33.0-1.3 openSUSE Tumbleweed:gitk-2.33.0-1.3 openSUSE Tumbleweed:perl-Git-2.33.0-1.3 low 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-1354.html CVE-2019-1354 https://bugzilla.suse.com/1158785 SUSE Bug 1158785 https://bugzilla.suse.com/1158792 SUSE Bug 1158792 An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones. CVE-2019-1387 openSUSE Tumbleweed:git-2.33.0-1.3 openSUSE Tumbleweed:git-arch-2.33.0-1.3 openSUSE Tumbleweed:git-core-2.33.0-1.3 openSUSE Tumbleweed:git-credential-gnome-keyring-2.33.0-1.3 openSUSE Tumbleweed:git-credential-libsecret-2.33.0-1.3 openSUSE Tumbleweed:git-cvs-2.33.0-1.3 openSUSE Tumbleweed:git-daemon-2.33.0-1.3 openSUSE Tumbleweed:git-doc-2.33.0-1.3 openSUSE Tumbleweed:git-email-2.33.0-1.3 openSUSE Tumbleweed:git-gui-2.33.0-1.3 openSUSE Tumbleweed:git-p4-2.33.0-1.3 openSUSE Tumbleweed:git-svn-2.33.0-1.3 openSUSE Tumbleweed:git-web-2.33.0-1.3 openSUSE Tumbleweed:gitk-2.33.0-1.3 openSUSE Tumbleweed:perl-Git-2.33.0-1.3 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-1387.html CVE-2019-1387 https://bugzilla.suse.com/1158785 SUSE Bug 1158785 https://bugzilla.suse.com/1158793 SUSE Bug 1158793 Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository. CVE-2019-19604 openSUSE Tumbleweed:git-2.33.0-1.3 openSUSE Tumbleweed:git-arch-2.33.0-1.3 openSUSE Tumbleweed:git-core-2.33.0-1.3 openSUSE Tumbleweed:git-credential-gnome-keyring-2.33.0-1.3 openSUSE Tumbleweed:git-credential-libsecret-2.33.0-1.3 openSUSE Tumbleweed:git-cvs-2.33.0-1.3 openSUSE Tumbleweed:git-daemon-2.33.0-1.3 openSUSE Tumbleweed:git-doc-2.33.0-1.3 openSUSE Tumbleweed:git-email-2.33.0-1.3 openSUSE Tumbleweed:git-gui-2.33.0-1.3 openSUSE Tumbleweed:git-p4-2.33.0-1.3 openSUSE Tumbleweed:git-svn-2.33.0-1.3 openSUSE Tumbleweed:git-web-2.33.0-1.3 openSUSE Tumbleweed:gitk-2.33.0-1.3 openSUSE Tumbleweed:perl-Git-2.33.0-1.3 critical 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-19604.html CVE-2019-19604 https://bugzilla.suse.com/1158785 SUSE Bug 1158785 https://bugzilla.suse.com/1158795 SUSE Bug 1158795 Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. This bug is similar to CVE-2020-5260(GHSA-qm7j-c969-7j4q). The fix for that bug still left the door open for an exploit where _some_ credential is leaked (but the attacker cannot control which one). Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that are considered illegal as of the recently published Git versions can cause Git to send a "blank" pattern to helpers, missing hostname and protocol fields. Many helpers will interpret this as matching _any_ URL, and will return some unspecified stored password, leaking the password to an attacker's server. The vulnerability can be triggered by feeding a malicious URL to `git clone`. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The root of the problem is in Git itself, which should not be feeding blank input to helpers. However, the ability to exploit the vulnerability in practice depends on which helpers are in use. Credential helpers which are known to trigger the vulnerability: - Git's "store" helper - Git's "cache" helper - the "osxkeychain" helper that ships in Git's "contrib" directory Credential helpers which are known to be safe even with vulnerable versions of Git: - Git Credential Manager for Windows Any helper not in this list should be assumed to trigger the vulnerability. CVE-2020-11008 openSUSE Tumbleweed:git-2.33.0-1.3 openSUSE Tumbleweed:git-arch-2.33.0-1.3 openSUSE Tumbleweed:git-core-2.33.0-1.3 openSUSE Tumbleweed:git-credential-gnome-keyring-2.33.0-1.3 openSUSE Tumbleweed:git-credential-libsecret-2.33.0-1.3 openSUSE Tumbleweed:git-cvs-2.33.0-1.3 openSUSE Tumbleweed:git-daemon-2.33.0-1.3 openSUSE Tumbleweed:git-doc-2.33.0-1.3 openSUSE Tumbleweed:git-email-2.33.0-1.3 openSUSE Tumbleweed:git-gui-2.33.0-1.3 openSUSE Tumbleweed:git-p4-2.33.0-1.3 openSUSE Tumbleweed:git-svn-2.33.0-1.3 openSUSE Tumbleweed:git-web-2.33.0-1.3 openSUSE Tumbleweed:gitk-2.33.0-1.3 openSUSE Tumbleweed:perl-Git-2.33.0-1.3 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-11008.html CVE-2020-11008 https://bugzilla.suse.com/1169936 SUSE Bug 1169936 https://bugzilla.suse.com/1170741 SUSE Bug 1170741 Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1. CVE-2020-5260 openSUSE Tumbleweed:git-2.33.0-1.3 openSUSE Tumbleweed:git-arch-2.33.0-1.3 openSUSE Tumbleweed:git-core-2.33.0-1.3 openSUSE Tumbleweed:git-credential-gnome-keyring-2.33.0-1.3 openSUSE Tumbleweed:git-credential-libsecret-2.33.0-1.3 openSUSE Tumbleweed:git-cvs-2.33.0-1.3 openSUSE Tumbleweed:git-daemon-2.33.0-1.3 openSUSE Tumbleweed:git-doc-2.33.0-1.3 openSUSE Tumbleweed:git-email-2.33.0-1.3 openSUSE Tumbleweed:git-gui-2.33.0-1.3 openSUSE Tumbleweed:git-p4-2.33.0-1.3 openSUSE Tumbleweed:git-svn-2.33.0-1.3 openSUSE Tumbleweed:git-web-2.33.0-1.3 openSUSE Tumbleweed:gitk-2.33.0-1.3 openSUSE Tumbleweed:perl-Git-2.33.0-1.3 important 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-5260.html CVE-2020-5260 https://bugzilla.suse.com/1168930 SUSE Bug 1168930 https://bugzilla.suse.com/1169936 SUSE Bug 1169936 https://bugzilla.suse.com/1170741 SUSE Bug 1170741 Git is an open-source distributed revision control system. In affected versions of Git a specially crafted repository that contains symbolic links as well as files using a clean/smudge filter such as Git LFS, may cause just-checked out script to be executed while cloning onto a case-insensitive file system such as NTFS, HFS+ or APFS (i.e. the default file systems on Windows and macOS). Note that clean/smudge filters have to be configured for that. Git for Windows configures Git LFS by default, and is therefore vulnerable. The problem has been patched in the versions published on Tuesday, March 9th, 2021. As a workaound, if symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. Likewise, if no clean/smudge filters such as Git LFS are configured globally (i.e. _before_ cloning), the attack is foiled. As always, it is best to avoid cloning repositories from untrusted sources. The earliest impacted version is 2.14.2. The fix versions are: 2.30.1, 2.29.3, 2.28.1, 2.27.1, 2.26.3, 2.25.5, 2.24.4, 2.23.4, 2.22.5, 2.21.4, 2.20.5, 2.19.6, 2.18.5, 2.17.62.17.6. CVE-2021-21300 openSUSE Tumbleweed:git-2.33.0-1.3 openSUSE Tumbleweed:git-arch-2.33.0-1.3 openSUSE Tumbleweed:git-core-2.33.0-1.3 openSUSE Tumbleweed:git-credential-gnome-keyring-2.33.0-1.3 openSUSE Tumbleweed:git-credential-libsecret-2.33.0-1.3 openSUSE Tumbleweed:git-cvs-2.33.0-1.3 openSUSE Tumbleweed:git-daemon-2.33.0-1.3 openSUSE Tumbleweed:git-doc-2.33.0-1.3 openSUSE Tumbleweed:git-email-2.33.0-1.3 openSUSE Tumbleweed:git-gui-2.33.0-1.3 openSUSE Tumbleweed:git-p4-2.33.0-1.3 openSUSE Tumbleweed:git-svn-2.33.0-1.3 openSUSE Tumbleweed:git-web-2.33.0-1.3 openSUSE Tumbleweed:gitk-2.33.0-1.3 openSUSE Tumbleweed:perl-Git-2.33.0-1.3 important 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-21300.html CVE-2021-21300 https://bugzilla.suse.com/1183026 SUSE Bug 1183026