ASA-201705-14 generated external raw

[ASA-201705-14] git: access restriction bypass
Arch Linux Security Advisory ASA-201705-14 ========================================== Severity: High Date : 2017-05-12 CVE-ID : CVE-2017-8386 Package : git Type : access restriction bypass Remote : Yes Link : https://security.archlinux.org/AVG-267 Summary ======= The package git before version 2.13.0-1 is vulnerable to access restriction bypass. Resolution ========== Upgrade to 2.13.0-1. # pacman -Syu "git>=2.13.0-1" The problem has been fixed upstream in version 2.13.0. Workaround ========== None. Description =========== A security issue has been found in git < 2.12.3, allowing a remote restricted user to execute an interactive pager on the server by causing it to spawn "git upload-pack --help". This is only an issue for servers running the "git-shell" restricted login shell. Impact ====== A remote attacker can use the interactive pager commands to access and modify arbitrary files on the affected host. If the login shell used is not git-shell, a remote attacker might also be able to run arbitrary commands on the affected host. References ========== http://lkml.iu.edu/hypermail/linux/kernel/1705.1/01337.html https://git.kernel.org/pub/scm/git/git.git/commit/?id=3ec804490a265f4c418a321428c12f3f18b7eff5 https://insinuator.net/2017/05/git-shell-bypass-by-abusing-less-cve-2017-8386/ https://security.archlinux.org/CVE-2017-8386