Re: CVE for git issue - please use CVE-2015-7545

[Kurt Seifried <kseifried () redhat com>]

I'm pretty sure people expect git recursive fetch to result in data being
fetched (potentially quite a lot) but that it does NOT result in arbitrary
command/code execution. As such (the potential for remote code execution)
we feel this is a security issue, hence the security updates from Red Hat.



On Wed, Dec 9, 2015 at 1:26 PM, Evans, Jonathan L. <jevans () mitre org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> We are not certain if the assignment of CVE-2015-7545 is correct.  The
> vendor
> may not officially support the "blindly enable recursive fetch" scenario,
> i.e.
> the user is expected to accept the risk of executing a recursive fetch
> from an
> untrusted source, and the change should be considered a security hardening
> feature for the convenience of their users.
>
> MITRE has been actively working with the upstream vendor to determine the
> appropriate number of CVEs for the vulnerabilities.  There was no
> oss-security
> post from us because the context of MITRE's work was related to previous
> private
> communication from and to the upstream vendor.
>
> In the future, we plan to respond quickly to requests like the initial one,
> asking the requester for the appropriate information needed to assign a
> CVE ID.
>
> - --
> Jonathan Evans
> CVE assignment team, MITRE CVE Numbering Authority M/S M300
> 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through
> http://cve.mitre.org/cve/request_id.html ]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQIcBAEBAgAGBQJWaI5KAAoJEL54rhJi8gl5WDsQAL1khrVZkPxjgxauyLhaaPKA
> +zQogmqLzJmAlx6JNj5ehKNvSkPFX9J4TzJ7IyYdEiVaeoUvbWJHu+CCNfmsiEXv
> jmMDCfMOTeHUhHBi0DaeAklspzN11a78m+y4LV1ixB2/75PRHapNR36Ff2OLB6L0
> PDCW3Kwl0QBRWg+ezF4SeOfJNqCYUaat6oW16wgL33b1NTPveP7Iop0INHwb/ebd
> UEak3vZTeHowT0IP0/5wbUyqEmYXONvUuXfRvLuQQzVL2qfValAN6KMbFq2mjYEm
> SeGj9uNTBf16ATF/BboN3IWElBtGLfIwY3Rleu8NtMmKruR8rEP9tqDZKdnZI50K
> +c6S3sdqlfzc8F2m99dGE5FuXe/qY0WfALo8vDgNs58zR5uh23rIIGZwgU4zxl32
> V71ssQr/hbfxen8u3ZJ258bRVmhh8SFyykKznYdC0iq1Zf58oIwmUgja5AbNNkqI
> 39jeBeAVrdmmMIMrrw+hYDRRFcRXHRkGM95gMCSjBSHY68/duKfN+G3CIRntxtek
> /Cu3IIy50FybOfOERdy+NBsQV8yK2LR+PXWXMmik0JgYMRXkwH6zSf5opbwGDWQb
> 0nI+HIKSUXdmjGHyVE8YqgeFcb52W9+EbdybuRkdbZq09rUWUr94FPjR73VNA8Yj
> 755moYSPJKuOLPJK33pi
> =IV1v
> -----END PGP SIGNATURE-----



-- 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert () redhat com