FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-29 07:54:42 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
1d567278-87a5-11e4-879c-000c292ee6b8git -- Arbitrary command execution on case-insensitive filesystems

The Git Project reports:

When using a case-insensitive filesystem an attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine. If you are a hosting service whose users may fetch from your service to Windows or Mac OS X machines, you are strongly encouraged to update to protect such users who use existing versions of Git.


Discovery 2014-12-19
Entry 2014-12-19
git
< 2.2.1

CVE-2014-9390
https://github.com/blog/1938-git-client-vulnerability-announced
http://article.gmane.org/gmane.linux.kernel/1853266
67765237-8470-11ea-a283-b42e99a1b9c3malicious URLs can cause git to send a stored credential to wrong server

git security advisory reports:

Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that are considered illegal as of the recently published Git versions can cause Git to send a "blank" pattern to helpers, missing hostname and protocol fields. Many helpers will interpret this as matching any URL, and will return some unspecified stored password, leaking the password to an attacker's server.


Discovery 2020-04-20
Entry 2020-04-22
git
ge 2.26.0 lt 2.26.2

ge 2.25.0 lt 2.25.4

ge 2.24.0 lt 2.24.3

ge 2.23.0 lt 2.23.3

ge 2.22.0 lt 2.22.4

ge 2.21.0 lt 2.21.3

ge 2.20.0 lt 2.20.4

ge 2.19.0 lt 2.19.5

ge 2.18.0 lt 2.18.4

ge 0 lt 2.17.5

git-lite
ge 2.26.0 lt 2.26.2

ge 2.25.0 lt 2.25.4

ge 2.24.0 lt 2.24.3

ge 2.23.0 lt 2.23.3

ge 2.22.0 lt 2.22.4

ge 2.21.0 lt 2.21.3

ge 2.20.0 lt 2.20.4

ge 2.19.0 lt 2.19.5

ge 2.18.0 lt 2.18.4

ge 0 lt 2.17.5

git-gui
ge 2.26.0 lt 2.26.2

ge 2.25.0 lt 2.25.4

ge 2.24.0 lt 2.24.3

ge 2.23.0 lt 2.23.3

ge 2.22.0 lt 2.22.4

ge 2.21.0 lt 2.21.3

ge 2.20.0 lt 2.20.4

ge 2.19.0 lt 2.19.5

ge 2.18.0 lt 2.18.4

ge 0 lt 2.17.5

https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7
CVE-2020-11008
7f645ee5-7681-11e5-8519-005056ac623eGit -- Execute arbitrary code

Git release notes:

Some protocols (like git-remote-ext) can execute arbitrary code found in the URL. The URLs that submodules use may come from arbitrary sources (e.g., .gitmodules files in a remote repository), and can hurt those who blindly enable recursive fetch. Restrict the allowed protocols to well known and safe ones.


Discovery 2015-09-23
Entry 2015-10-19
Modified 2015-12-12
git
< 2.6.1

git-gui
< 2.6.1

git-lite
< 2.6.1

git-subversion
< 2.6.1

CVE-2015-7545
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.6.1.txt
http://www.openwall.com/lists/oss-security/2015/12/11/7
827bc2b7-95ed-11df-9160-00e0815b8da8git -- buffer overflow vulnerability

Greg Brockman reports:

If an attacker were to create a crafted working copy where the user runs any git command, the attacker could force execution of arbitrary code.


Discovery 2010-07-20
Entry 2010-07-23
git
ge 1.5.6 lt 1.7.1.1_1

CVE-2010-2542
http://git.kernel.org/?p=git/git.git;a=commit;h=3c9d0414ed2db0167e6c828b547be8fc9f88fccc
http://www.openwall.com/lists/oss-security/2010/07/22/1
93ee802e-ebde-11e5-92ce-002590263bf5git -- potential code execution

Debian reports:

"int" is the wrong data type for ... nlen assignment.


Discovery 2015-09-24
Entry 2016-03-17
git
< 2.7.0

CVE-2016-2315
http://www.openwall.com/lists/oss-security/2016/03/15/6
https://marc.info/?l=oss-security&m=145809217306686&w=2
https://github.com/git/git/commit/34fa79a6cde56d6d428ab0d3160cb094ebad3305
https://security-tracker.debian.org/tracker/CVE-2016-2315
c7a135f4-66a4-11e8-9e63-3085a9a47796Git -- Fix memory out-of-bounds and remote code execution vulnerabilities (CVE-2018-11233 and CVE-2018-11235)

The Git community reports:

  • In affected versions of Git, code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory.
  • In affected versions of Git, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because submodule "names" are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with "../" in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server.

Discovery 2018-05-29
Entry 2018-06-02
git
git-lite
< 2.13.7

ge 2.14 lt 2.14.4

ge 2.15 lt 2.15.2

ge 2.16 lt 2.16.4

ge 2.17 lt 2.17.1

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11233
CVE-2018-11233
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11235
CVE-2018-11235
ced2d47e-8469-11ea-a283-b42e99a1b9c3malicious URLs may present credentials to wrong server

git security advisory reports:

Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server for an HTTP request being made to another server, resulting in credentials for the former being sent to the latter.


Discovery 2020-04-14
Entry 2020-04-22
git
ge 2.26.0 lt 2.26.1

ge 2.25.0 lt 2.25.3

ge 2.24.0 lt 2.24.2

ge 2.23.0 lt 2.23.2

ge 2.22.0 lt 2.22.3

ge 2.21.0 lt 2.21.2

ge 2.20.0 lt 2.20.3

ge 2.19.0 lt 2.19.4

ge 2.18.0 lt 2.18.3

ge 0 lt 2.17.4

git-lite
ge 2.26.0 lt 2.26.1

ge 2.25.0 lt 2.25.3

ge 2.24.0 lt 2.24.2

ge 2.23.0 lt 2.23.2

ge 2.22.0 lt 2.22.3

ge 2.21.0 lt 2.21.2

ge 2.20.0 lt 2.20.3

ge 2.19.0 lt 2.19.4

ge 2.18.0 lt 2.18.3

ge 0 lt 2.17.4

git-gui
ge 2.26.0 lt 2.26.1

ge 2.25.0 lt 2.25.3

ge 2.24.0 lt 2.24.2

ge 2.23.0 lt 2.23.2

ge 2.22.0 lt 2.22.3

ge 2.21.0 lt 2.21.2

ge 2.20.0 lt 2.20.3

ge 2.19.0 lt 2.19.4

ge 2.18.0 lt 2.18.3

ge 0 lt 2.17.4

https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q
CVE-2020-5260
d2a84feb-ebe0-11e5-92ce-002590263bf5git -- integer overflow

Debian reports:

integer overflow due to a loop which adds more to "len".


Discovery 2016-02-24
Entry 2016-03-18
git
< 2.4.11

ge 2.5.0 lt 2.5.5

ge 2.6.0 lt 2.6.6

ge 2.7.0 lt 2.7.4

git-gui
< 2.4.11

ge 2.5.0 lt 2.5.5

ge 2.6.0 lt 2.6.6

ge 2.7.0 lt 2.7.4

git-lite
< 2.4.11

ge 2.5.0 lt 2.5.5

ge 2.6.0 lt 2.6.6

ge 2.7.0 lt 2.7.4

git-subversion
< 2.4.11

ge 2.5.0 lt 2.5.5

ge 2.6.0 lt 2.6.6

ge 2.7.0 lt 2.7.4

CVE-2016-2324
https://security-tracker.debian.org/tracker/CVE-2016-2324
https://github.com/git/git/commit/9831e92bfa833ee9c0ce464bbc2f941ae6c2698d
d9b01c08-59b3-11de-828e-00e0815b8da8git -- denial of service vulnerability

SecurityFocus reports:

Git is prone to a denial-of-service vulnerability because it fails to properly handle some client requests.

Attackers can exploit this issue to cause a daemon process to enter an infinite loop. Repeated exploits may consume excessive system resources, resulting in a denial of service condition.


Discovery 2009-06-04
Entry 2009-06-15
Modified 2010-05-02
git
< 1.6.3.2_1

35338
CVE-2009-2108
https://www.redhat.com/archives/fedora-security-list/2009-June/msg00000.html
http://article.gmane.org/gmane.comp.version-control.git/120724
ecad44b9-e663-11dd-afcd-00e0815b8da8git -- gitweb privilege escalation

Git maintainers report:

gitweb has a possible local privilege escalation bug that allows a malicious repository owner to run a command of his choice by specifying diff.external configuration variable in his repository and running a crafted gitweb query.


Discovery 2008-12-20
Entry 2009-01-19
git
< 1.6.0.6

32967
http://marc.info/?l=git&m=122975564100860&w=2
http://www.kernel.org/pub/software/scm/git/docs/RelNotes-1.6.0.6.txt