ALAS-2017-882


Amazon Linux AMI Security Advisory: ALAS-2017-882
Advisory Release Date: 2017-08-31 23:09 Pacific
Severity: Important
References: CVE-2017-1000117 

Issue Overview:

Command injection via malicious ssh URLs:
A shell command injection flaw related to the handling of "ssh" URLs has been discovered in Git. An attacker could use this flaw to execute shell commands with the privileges of the user running the Git client, for example, when performing a "clone" action on a malicious repository or a legitimate repository containing a malicious commit.(CVE-2017-1000117 )


Affected Packages:

git


Issue Correction:
Run yum update git to update your system.

New Packages:
i686:
    git-2.13.5-1.53.amzn1.i686
    git-daemon-2.13.5-1.53.amzn1.i686
    git-debuginfo-2.13.5-1.53.amzn1.i686
    git-svn-2.13.5-1.53.amzn1.i686

noarch:
    git-email-2.13.5-1.53.amzn1.noarch
    git-bzr-2.13.5-1.53.amzn1.noarch
    git-p4-2.13.5-1.53.amzn1.noarch
    git-cvs-2.13.5-1.53.amzn1.noarch
    emacs-git-el-2.13.5-1.53.amzn1.noarch
    git-all-2.13.5-1.53.amzn1.noarch
    git-hg-2.13.5-1.53.amzn1.noarch
    perl-Git-SVN-2.13.5-1.53.amzn1.noarch
    gitweb-2.13.5-1.53.amzn1.noarch
    emacs-git-2.13.5-1.53.amzn1.noarch
    perl-Git-2.13.5-1.53.amzn1.noarch

src:
    git-2.13.5-1.53.amzn1.src

x86_64:
    git-daemon-2.13.5-1.53.amzn1.x86_64
    git-2.13.5-1.53.amzn1.x86_64
    git-debuginfo-2.13.5-1.53.amzn1.x86_64
    git-svn-2.13.5-1.53.amzn1.x86_64