ALAS-2017-910


Amazon Linux AMI Security Advisory: ALAS-2017-910
Advisory Release Date: 2017-10-13 00:20 Pacific
Severity: Medium
References: CVE-2017-NONE 

Issue Overview:

The git subcommand cvsserver is a Perl script which makes excessive use of the backtick operator to invoke git. Unfortunately user input is used within some of those invocations. It should be noted, that git-cvsserver will be invoked by git-shell by default without further configuration.

http://seclists.org/oss-sec/2017/q3/534


Affected Packages:

git


Issue Correction:
Run yum update git to update your system.

New Packages:
i686:
    git-svn-2.13.6-1.55.amzn1.i686
    git-daemon-2.13.6-1.55.amzn1.i686
    git-2.13.6-1.55.amzn1.i686
    git-debuginfo-2.13.6-1.55.amzn1.i686

noarch:
    git-all-2.13.6-1.55.amzn1.noarch
    git-p4-2.13.6-1.55.amzn1.noarch
    emacs-git-2.13.6-1.55.amzn1.noarch
    git-email-2.13.6-1.55.amzn1.noarch
    gitweb-2.13.6-1.55.amzn1.noarch
    git-hg-2.13.6-1.55.amzn1.noarch
    git-bzr-2.13.6-1.55.amzn1.noarch
    perl-Git-2.13.6-1.55.amzn1.noarch
    emacs-git-el-2.13.6-1.55.amzn1.noarch
    git-cvs-2.13.6-1.55.amzn1.noarch
    perl-Git-SVN-2.13.6-1.55.amzn1.noarch

src:
    git-2.13.6-1.55.amzn1.src

x86_64:
    git-debuginfo-2.13.6-1.55.amzn1.x86_64
    git-2.13.6-1.55.amzn1.x86_64
    git-svn-2.13.6-1.55.amzn1.x86_64
    git-daemon-2.13.6-1.55.amzn1.x86_64