Security update for git SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2017:2747-1 Final 1 1 2017-10-17T11:38:17Z current 2017-10-17T11:38:17Z 2017-10-17T11:38:17Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for git This update for git fixes the following issues: This security issue was fixed: - CVE-2017-14867: Git used unsafe Perl scripts to support subcommands such as cvsserver, which allowed attackers to execute arbitrary OS commands via shell metacharacters in a module name (bsc#1061041). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-CAASP-ALL-2017-1704,SUSE-OpenStack-Cloud-6-2017-1704,SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2017-1704,SUSE-SLE-RPI-12-SP2-2017-1704,SUSE-SLE-SAP-12-SP1-2017-1704,SUSE-SLE-SDK-12-SP2-2017-1704,SUSE-SLE-SDK-12-SP3-2017-1704,SUSE-SLE-SERVER-12-SP1-2017-1704,SUSE-SLE-SERVER-12-SP2-2017-1704,SUSE-SLE-SERVER-12-SP3-2017-1704 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2017/suse-su-20172747-1/ Link for SUSE-SU-2017:2747-1 https://lists.suse.com/pipermail/sle-security-updates/2017-October/003301.html E-Mail link for SUSE-SU-2017:2747-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1061041 SUSE Bug 1061041 https://www.suse.com/security/cve/CVE-2017-14867/ SUSE CVE CVE-2017-14867 page SUSE Linux Enterprise Server 12 SP1-LTSS SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Software Development Kit 12 SP2 SUSE Linux Enterprise Software Development Kit 12 SP3 SUSE OpenStack Cloud 6 git-core-2.12.3-27.9.1 git-doc-2.12.3-27.9.1 git-2.12.3-27.9.1 git-arch-2.12.3-27.9.1 git-cvs-2.12.3-27.9.1 git-daemon-2.12.3-27.9.1 git-email-2.12.3-27.9.1 git-gui-2.12.3-27.9.1 git-svn-2.12.3-27.9.1 git-web-2.12.3-27.9.1 gitk-2.12.3-27.9.1 git-core-2.12.3-27.9.1 as a component of SUSE Linux Enterprise Server 12 SP1-LTSS git-doc-2.12.3-27.9.1 as a component of SUSE Linux Enterprise Server 12 SP1-LTSS git-core-2.12.3-27.9.1 as a component of SUSE Linux Enterprise Server 12 SP2 git-doc-2.12.3-27.9.1 as a component of SUSE Linux Enterprise Server 12 SP2 git-core-2.12.3-27.9.1 as a component of SUSE Linux Enterprise Server 12 SP3 git-core-2.12.3-27.9.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 git-doc-2.12.3-27.9.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 git-core-2.12.3-27.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 git-doc-2.12.3-27.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 git-core-2.12.3-27.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 git-doc-2.12.3-27.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 git-core-2.12.3-27.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP3 git-2.12.3-27.9.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 git-arch-2.12.3-27.9.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 git-core-2.12.3-27.9.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 git-cvs-2.12.3-27.9.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 git-daemon-2.12.3-27.9.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 git-doc-2.12.3-27.9.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 git-email-2.12.3-27.9.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 git-gui-2.12.3-27.9.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 git-svn-2.12.3-27.9.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 git-web-2.12.3-27.9.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 gitk-2.12.3-27.9.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 git-2.12.3-27.9.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP3 git-arch-2.12.3-27.9.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP3 git-core-2.12.3-27.9.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP3 git-cvs-2.12.3-27.9.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP3 git-daemon-2.12.3-27.9.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP3 git-doc-2.12.3-27.9.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP3 git-email-2.12.3-27.9.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP3 git-gui-2.12.3-27.9.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP3 git-svn-2.12.3-27.9.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP3 git-web-2.12.3-27.9.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP3 gitk-2.12.3-27.9.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP3 git-core-2.12.3-27.9.1 as a component of SUSE OpenStack Cloud 6 git-doc-2.12.3-27.9.1 as a component of SUSE OpenStack Cloud 6 Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support. CVE-2017-14867 SUSE Linux Enterprise Server 12 SP1-LTSS:git-core-2.12.3-27.9.1 SUSE Linux Enterprise Server 12 SP1-LTSS:git-doc-2.12.3-27.9.1 SUSE Linux Enterprise Server 12 SP2:git-core-2.12.3-27.9.1 SUSE Linux Enterprise Server 12 SP2:git-doc-2.12.3-27.9.1 SUSE Linux Enterprise Server 12 SP3:git-core-2.12.3-27.9.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:git-core-2.12.3-27.9.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:git-doc-2.12.3-27.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:git-core-2.12.3-27.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:git-doc-2.12.3-27.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:git-core-2.12.3-27.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:git-doc-2.12.3-27.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:git-core-2.12.3-27.9.1 SUSE Linux Enterprise Software Development Kit 12 SP2:git-2.12.3-27.9.1 SUSE Linux Enterprise Software Development Kit 12 SP2:git-arch-2.12.3-27.9.1 SUSE Linux Enterprise Software Development Kit 12 SP2:git-core-2.12.3-27.9.1 SUSE Linux Enterprise Software Development Kit 12 SP2:git-cvs-2.12.3-27.9.1 SUSE Linux Enterprise Software Development Kit 12 SP2:git-daemon-2.12.3-27.9.1 SUSE Linux Enterprise Software Development Kit 12 SP2:git-doc-2.12.3-27.9.1 SUSE Linux Enterprise Software Development Kit 12 SP2:git-email-2.12.3-27.9.1 SUSE Linux Enterprise Software Development Kit 12 SP2:git-gui-2.12.3-27.9.1 SUSE Linux Enterprise Software Development Kit 12 SP2:git-svn-2.12.3-27.9.1 SUSE Linux Enterprise Software Development Kit 12 SP2:git-web-2.12.3-27.9.1 SUSE Linux Enterprise Software Development Kit 12 SP2:gitk-2.12.3-27.9.1 SUSE Linux Enterprise Software Development Kit 12 SP3:git-2.12.3-27.9.1 SUSE Linux Enterprise Software Development Kit 12 SP3:git-arch-2.12.3-27.9.1 SUSE Linux Enterprise Software Development Kit 12 SP3:git-core-2.12.3-27.9.1 SUSE Linux Enterprise Software Development Kit 12 SP3:git-cvs-2.12.3-27.9.1 SUSE Linux Enterprise Software Development Kit 12 SP3:git-daemon-2.12.3-27.9.1 SUSE Linux Enterprise Software Development Kit 12 SP3:git-doc-2.12.3-27.9.1 SUSE Linux Enterprise Software Development Kit 12 SP3:git-email-2.12.3-27.9.1 SUSE Linux Enterprise Software Development Kit 12 SP3:git-gui-2.12.3-27.9.1 SUSE Linux Enterprise Software Development Kit 12 SP3:git-svn-2.12.3-27.9.1 SUSE Linux Enterprise Software Development Kit 12 SP3:git-web-2.12.3-27.9.1 SUSE Linux Enterprise Software Development Kit 12 SP3:gitk-2.12.3-27.9.1 SUSE OpenStack Cloud 6:git-core-2.12.3-27.9.1 SUSE OpenStack Cloud 6:git-doc-2.12.3-27.9.1 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C 9 AV:N/AC:L/Au:S/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20172747-1/ https://www.suse.com/security/cve/CVE-2017-14867.html CVE-2017-14867 https://bugzilla.suse.com/1060377 SUSE Bug 1060377 https://bugzilla.suse.com/1060378 SUSE Bug 1060378 https://bugzilla.suse.com/1061041 SUSE Bug 1061041