Security update for git SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:4257-1 Final 1 1 2018-12-22T18:19:29Z current 2018-12-22T18:19:29Z 2018-12-22T18:19:29Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for git This update for git fixes the following issues: Security issue fixed: - CVE-2018-19486: Fixed git that executed commands from the current working directory (as if '.' were at the end of $PATH) in certain cases involving the run_command() API and run-command.c, because there was (bsc#1117257). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2018-12/msg00062.html E-Mail link for openSUSE-SU-2018:4257-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 15.0 git-2.16.4-lp150.2.9.1 git-arch-2.16.4-lp150.2.9.1 git-core-2.16.4-lp150.2.9.1 git-credential-gnome-keyring-2.16.4-lp150.2.9.1 git-credential-libsecret-2.16.4-lp150.2.9.1 git-cvs-2.16.4-lp150.2.9.1 git-daemon-2.16.4-lp150.2.9.1 git-doc-2.16.4-lp150.2.9.1 git-email-2.16.4-lp150.2.9.1 git-gui-2.16.4-lp150.2.9.1 git-p4-2.16.4-lp150.2.9.1 git-svn-2.16.4-lp150.2.9.1 git-web-2.16.4-lp150.2.9.1 gitk-2.16.4-lp150.2.9.1 git-2.16.4-lp150.2.9.1 as a component of openSUSE Leap 15.0 git-arch-2.16.4-lp150.2.9.1 as a component of openSUSE Leap 15.0 git-core-2.16.4-lp150.2.9.1 as a component of openSUSE Leap 15.0 git-credential-gnome-keyring-2.16.4-lp150.2.9.1 as a component of openSUSE Leap 15.0 git-credential-libsecret-2.16.4-lp150.2.9.1 as a component of openSUSE Leap 15.0 git-cvs-2.16.4-lp150.2.9.1 as a component of openSUSE Leap 15.0 git-daemon-2.16.4-lp150.2.9.1 as a component of openSUSE Leap 15.0 git-doc-2.16.4-lp150.2.9.1 as a component of openSUSE Leap 15.0 git-email-2.16.4-lp150.2.9.1 as a component of openSUSE Leap 15.0 git-gui-2.16.4-lp150.2.9.1 as a component of openSUSE Leap 15.0 git-p4-2.16.4-lp150.2.9.1 as a component of openSUSE Leap 15.0 git-svn-2.16.4-lp150.2.9.1 as a component of openSUSE Leap 15.0 git-web-2.16.4-lp150.2.9.1 as a component of openSUSE Leap 15.0 gitk-2.16.4-lp150.2.9.1 as a component of openSUSE Leap 15.0 Git before 2.19.2 on Linux and UNIX executes commands from the current working directory (as if '.' were at the end of $PATH) in certain cases involving the run_command() API and run-command.c, because there was a dangerous change from execvp to execv during 2017. CVE-2018-19486 openSUSE Leap 15.0:git-2.16.4-lp150.2.9.1 openSUSE Leap 15.0:git-arch-2.16.4-lp150.2.9.1 openSUSE Leap 15.0:git-core-2.16.4-lp150.2.9.1 openSUSE Leap 15.0:git-credential-gnome-keyring-2.16.4-lp150.2.9.1 openSUSE Leap 15.0:git-credential-libsecret-2.16.4-lp150.2.9.1 openSUSE Leap 15.0:git-cvs-2.16.4-lp150.2.9.1 openSUSE Leap 15.0:git-daemon-2.16.4-lp150.2.9.1 openSUSE Leap 15.0:git-doc-2.16.4-lp150.2.9.1 openSUSE Leap 15.0:git-email-2.16.4-lp150.2.9.1 openSUSE Leap 15.0:git-gui-2.16.4-lp150.2.9.1 openSUSE Leap 15.0:git-p4-2.16.4-lp150.2.9.1 openSUSE Leap 15.0:git-svn-2.16.4-lp150.2.9.1 openSUSE Leap 15.0:git-web-2.16.4-lp150.2.9.1 openSUSE Leap 15.0:gitk-2.16.4-lp150.2.9.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-12/msg00062.html https://www.suse.com/security/cve/CVE-2018-19486.html CVE-2018-19486 https://bugzilla.suse.com/1117257 SUSE Bug 1117257