oss-sec mailing list archives
Re: CVE for git issue - please use CVE-2015-7545
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 9 Dec 2015 14:15:34 -0700
I'm pretty sure people expect git recursive fetch to result in data being fetched (potentially quite a lot) but that it does NOT result in arbitrary command/code execution. As such (the potential for remote code execution) we feel this is a security issue, hence the security updates from Red Hat. On Wed, Dec 9, 2015 at 1:26 PM, Evans, Jonathan L. <jevans () mitre org> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We are not certain if the assignment of CVE-2015-7545 is correct. The vendor may not officially support the "blindly enable recursive fetch" scenario, i.e. the user is expected to accept the risk of executing a recursive fetch from an untrusted source, and the change should be considered a security hardening feature for the convenience of their users. MITRE has been actively working with the upstream vendor to determine the appropriate number of CVEs for the vulnerabilities. There was no oss-security post from us because the context of MITRE's work was related to previous private communication from and to the upstream vendor. In the future, we plan to respond quickly to requests like the initial one, asking the requester for the appropriate information needed to assign a CVE ID. - -- Jonathan Evans CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJWaI5KAAoJEL54rhJi8gl5WDsQAL1khrVZkPxjgxauyLhaaPKA +zQogmqLzJmAlx6JNj5ehKNvSkPFX9J4TzJ7IyYdEiVaeoUvbWJHu+CCNfmsiEXv jmMDCfMOTeHUhHBi0DaeAklspzN11a78m+y4LV1ixB2/75PRHapNR36Ff2OLB6L0 PDCW3Kwl0QBRWg+ezF4SeOfJNqCYUaat6oW16wgL33b1NTPveP7Iop0INHwb/ebd UEak3vZTeHowT0IP0/5wbUyqEmYXONvUuXfRvLuQQzVL2qfValAN6KMbFq2mjYEm SeGj9uNTBf16ATF/BboN3IWElBtGLfIwY3Rleu8NtMmKruR8rEP9tqDZKdnZI50K +c6S3sdqlfzc8F2m99dGE5FuXe/qY0WfALo8vDgNs58zR5uh23rIIGZwgU4zxl32 V71ssQr/hbfxen8u3ZJ258bRVmhh8SFyykKznYdC0iq1Zf58oIwmUgja5AbNNkqI 39jeBeAVrdmmMIMrrw+hYDRRFcRXHRkGM95gMCSjBSHY68/duKfN+G3CIRntxtek /Cu3IIy50FybOfOERdy+NBsQV8yK2LR+PXWXMmik0JgYMRXkwH6zSf5opbwGDWQb 0nI+HIKSUXdmjGHyVE8YqgeFcb52W9+EbdybuRkdbZq09rUWUr94FPjR73VNA8Yj 755moYSPJKuOLPJK33pi =IV1v -----END PGP SIGNATURE-----
-- -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert () redhat com
Current thread:
- CVE for git issue - please use CVE-2015-7545 Kurt Seifried (Dec 08)
- RE: CVE for git issue - please use CVE-2015-7545 Evans, Jonathan L. (Dec 09)
- Re: CVE for git issue - please use CVE-2015-7545 Kurt Seifried (Dec 09)
- Re: CVE for git issue - please use CVE-2015-7545 cve-assign (Dec 11)
- RE: CVE for git issue - please use CVE-2015-7545 Evans, Jonathan L. (Dec 09)