CVE-2015-7545: Input Validation
First published: Thu Oct 08 2015(Updated: )
The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/git | <2.6.1 | 2.6.1 |
| redhat/git | <2.3.10 | 2.3.10 |
| Git Project Git | <=2.3.9 | |
| Git Project Git | =2.4.0 | |
| Git Project Git | =2.4.1 | |
| Git Project Git | =2.4.2 | |
| Git Project Git | =2.4.3 | |
| Git Project Git | =2.4.4 | |
| Git Project Git | =2.4.5 | |
| Git Project Git | =2.4.6 | |
| Git Project Git | =2.4.7 | |
| Git Project Git | =2.4.8 | |
| Git Project Git | =2.4.9 | |
| Git Project Git | =2.5.0 | |
| Git Project Git | =2.5.1 | |
| Git Project Git | =2.5.2 | |
| Git Project Git | =2.5.3 | |
| Git Project Git | =2.6.0 | |
| Redhat Software Collections | =1.0 | |
| Canonical Ubuntu Linux | =12.04 | |
| Canonical Ubuntu Linux | =14.04 | |
| Canonical Ubuntu Linux | =15.04 | |
| Canonical Ubuntu Linux | =15.10 | |
| openSUSE openSUSE | =13.1 | |
| openSUSE openSUSE | =13.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://kernel.googlesource.com/pub/scm/git/git/+/a5adaced2e13c135d5d9cc65be9eb95aa3bacedf%5E%21/
- https://kernel.googlesource.com/pub/scm/git/git/+/33cfccbbf35a56e190b79bdec5c85457c952a021%5E%21/
- https://kernel.googlesource.com/pub/scm/git/git/+/5088d3b38775f8ac12d7f77636775b16059b67ef%5E%21/
- https://kernel.googlesource.com/pub/scm/git/git/+/f4113cac0c88b4f36ee6f3abf3218034440a68e3%5E%21/
- https://kernel.googlesource.com/pub/scm/git/git/+/b258116462399b318c86165c61a5c7123043cfd4%5E%21/
- http://seclists.org/oss-sec/2015/q4/37
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1269797
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1269798
- https://rhn.redhat.com/errata/RHSA-2015-2515.html
- https://rhn.redhat.com/errata/RHSA-2015-2561.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1269794
- http://lists.opensuse.org/opensuse-updates/2015-11/msg00066.html
- http://rhn.redhat.com/errata/RHSA-2015-2515.html
- http://www.debian.org/security/2016/dsa-3435
- http://www.openwall.com/lists/oss-security/2015/12/08/5
- http://www.openwall.com/lists/oss-security/2015/12/09/8
- http://www.openwall.com/lists/oss-security/2015/12/11/7
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
- http://www.securityfocus.com/bid/78711
- http://www.securitytracker.com/id/1034501
- http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.533255
- http://www.ubuntu.com/usn/USN-2835-1
- https://github.com/git/git/blob/master/Documentation/RelNotes/2.3.10.txt
- https://github.com/git/git/blob/master/Documentation/RelNotes/2.4.10.txt
- https://github.com/git/git/blob/master/Documentation/RelNotes/2.5.4.txt
- https://github.com/git/git/blob/master/Documentation/RelNotes/2.6.1.txt
- https://kernel.googlesource.com/pub/scm/git/git/+/33cfccbbf35a56e190b79bdec5c85457c952a021
- https://lkml.org/lkml/2015/10/5/683
- https://security.gentoo.org/glsa/201605-01
- agent/type
- agent/first-publish-date
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/remedy
- agent/description
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2015-7545
- agent/software-canonical-lookup
- agent/tags
- agent/event
- vendor/git project
- canonical/git project git
- version/git project git/2.3.9
- version/git project git/2.4.0
- version/git project git/2.4.1
- version/git project git/2.4.2
- version/git project git/2.4.3
- version/git project git/2.4.4
- version/git project git/2.4.5
- version/git project git/2.4.6
- version/git project git/2.4.7
- version/git project git/2.4.8
- version/git project git/2.4.9
- version/git project git/2.5.0
- version/git project git/2.5.1
- version/git project git/2.5.2
- version/git project git/2.5.3
- version/git project git/2.6.0
- vendor/redhat
- canonical/redhat software collections
- version/redhat software collections/1.0
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/12.04
- version/canonical ubuntu linux/14.04
- version/canonical ubuntu linux/15.04
- version/canonical ubuntu linux/15.10
- vendor/opensuse
- canonical/opensuse opensuse
- version/opensuse opensuse/13.1
- version/opensuse opensuse/13.2
- package-manager/redhat