From the release announcement¹
A malicious third-party can give a crafted "ssh://..." URL to an
unsuspecting victim, and an attempt to visit the URL can result in
any program that exists on the victim's machine being executed.
Such a URL could be placed in the .gitmodules file of a malicious
project, and an unsuspecting victim could be tricked into running
"git clone --recurse-submodules" to trigger the vulnerability.
Credits to find and fix the issue go to Brian Neel at GitLab, Joern
Schneeweisz of Recurity Labs and Jeff King at GitHub.
¹ https://public-inbox.org/git/xmqqh8xf482j.fsf@gitster.mtv.corp.google.com/
6 lines
984 B
Text
6 lines
984 B
Text
SHA512 (git-2.9.5.tar.xz) = 5a3f62b9640a477bfd1a299f365ddb36c69ce5fb92ecf3ba7176686836a3057de7c74078b46526abd7bee0204c49e36bbd7d77d4c2f69c6524eca592ab6c365d
|
|
SHA512 (git-2.9.5.tar.sign) = ae799e503c9648fffd9c18ce7bf826f8e28cec2bce196f67275f49eeba3c250457c2a4aa8316079e43f06a6374bbc2c3cc196555f58452aecef8be8727b2edcd
|
|
SHA512 (git-htmldocs-2.9.5.tar.xz) = 8ac48cc1bd9635ede960fb2dc5e18590fa0c743e0892e754cade2b5b2833a24f463059f2992e74a281b5ae3ff48309187d06f2e546676ceb3c38cf5ef32fb555
|
|
SHA512 (git-htmldocs-2.9.5.tar.sign) = 9239fda9b02adf4232048d259fe133cf67999836e3bb9ea76e96b18721916af5b22b375afbd857cfbb49dbafd9a9b8e1a02b0e53d21ecf04f2e5831a6b9fcdea
|
|
SHA512 (git-manpages-2.9.5.tar.xz) = e4daa7b481c1e14da76dac04348843240c9ece80123f6e6e10835d74737605c03ca07c60b90b94f59ba5fc91b2608115db632f3636a6eec6c95df682191ea9fb
|
|
SHA512 (git-manpages-2.9.5.tar.sign) = 48f9395ea09200275fe9836f27bfea1672151b351ae79a6554d9817d72e97d0db8d4656079bd1af3eeb2fda2c1d7e0ec9ce3f16b0fc3dda659cfd6fc836c6495
|