Debian 10032 Published by

A git security update has been released for Debian GNU/Linux 8 and 9 Extended LTS to address several security vulnerabilities.



ELA-700-1 git security update

Package git
Version 1:2.1.4-2.1+deb8u11 (jessie), 1:2.11.0-3+deb9u8 (stretch)
Related CVEs CVE-2021-21300 CVE-2021-40330

Several security vulnerabilities have been discovered in Git, a fast, scalable, distributed revision control system, which may affect multi-user systems.

CVE-2021-21300

A specially crafted repository that contains symbolic links as well as
files using a clean/smudge filter such as Git LFS, may cause just-checked
out script to be executed while cloning onto a case-insensitive file system
such as NTFS, HFS+ or APFS (i.e. the default file systems on Windows and
macOS).

CVE-2021-40330

git_connect_git in connect.c allows a repository path to contain a newline
character, which may result in unexpected cross-protocol requests, as
demonstrated by the git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1
substring.

For Debian 8 jessie, these problems have been fixed in version 1:2.1.4-2.1+deb8u11.

For Debian 9 stretch, these problems have been fixed in version 1:2.11.0-3+deb9u8.

We recommend that you upgrade your git packages.

Further information about Extended LTS security advisories can be found at: debian Extended Long term support

  ELA-700-1 git security update