Advisories » MGASA-2017-0440

Updated git packages fix security vulnerability

Publication date: 01 Dec 2017
Modification date: 01 Dec 2017
Type: security
Affected Mageia releases : 5 , 6
CVE: CVE-2017-15298

Description

Git through 2.14.2 mishandles layers of tree objects, which allows
remote attackers to cause a denial of service (memory consumption) via a
crafted repository, aka a Git bomb. This can also have an impact of disk
consumption; however, an affected process typically would not survive
its attempt to build the data structure in memory before writing to disk
(CVE-2017-15298).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=22067
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/E74SITDDPAHRFJZ6NCMSIH3SXTJWBYU3/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15298

SRPMS

6/core

• git-2.13.6-1.1.mga6

5/core

• git-2.7.6-1.1.mga5