Debian Security Advisory DSA 4581-1 (git - security update)

The remote host is missing an update for the 'git' package(s) announced via the DSA-4581-1 advisory.

Several vulnerabilities have been discovered in git, a fast, scalable, distributed revision control system. CVE-2019-1348 It was reported that the --export-marks option of git fast-import is exposed also via the in-stream command feature export-marks=..., allowing to overwrite arbitrary paths. CVE-2019-1387 It was discovered that submodule names are not validated strictly enough, allowing very targeted attacks via remote code execution when performing recursive clones. CVE-2019-19604 Joern Schneeweisz reported a vulnerability, where a recursive clone followed by a submodule update could execute code contained within the repository without the user explicitly having asked for that. It is now disallowed for `.gitmodules` to have entries that set `submodule..update=!command`. In addition this update addresses a number of security issues which are only an issue if git is operating on an NTFS filesystem (CVE-2019-1349, CVE-2019-1352 and CVE-2019-1353 ).

'git' package(s) on Debian Linux.

Checks if a vulnerable package version is present on the target host.

For the oldstable distribution (stretch), these problems have been fixed in version 1:2.11.0-3+deb9u5. For the stable distribution (buster), these problems have been fixed in version 1:2.20.1-2+deb10u1. We recommend that you upgrade your git packages.