ALAS-2017-910


Amazon Linux AMI Security Advisory: ALAS-2017-910
Advisory Release Date: 2017-10-12 19:39 Pacific
Advisory Updated Date: 2017-10-13 00:20 Pacific
Severity: Medium
References: CVE-2017-NONE 

Issue Overview:

The <i>git</i> subcommand <i>cvsserver</i> is a Perl script which makes excessive use of the backtick operator to invoke <i>git</i>. Unfortunately user input is used within some of those invocations. It should be noted, that <i>git-cvsserver</i> will be invoked by <i>git-shell</i> by default without further configuration.

http://seclists.org/oss-sec/2017/q3/534


Affected Packages:

git


Issue Correction:
Run yum update git to update your system.

New Packages:
i686:
    git-svn-2.13.6-1.55.amzn1.i686
    git-daemon-2.13.6-1.55.amzn1.i686
    git-2.13.6-1.55.amzn1.i686
    git-debuginfo-2.13.6-1.55.amzn1.i686

noarch:
    git-all-2.13.6-1.55.amzn1.noarch
    git-p4-2.13.6-1.55.amzn1.noarch
    emacs-git-2.13.6-1.55.amzn1.noarch
    git-email-2.13.6-1.55.amzn1.noarch
    gitweb-2.13.6-1.55.amzn1.noarch
    git-hg-2.13.6-1.55.amzn1.noarch
    git-bzr-2.13.6-1.55.amzn1.noarch
    perl-Git-2.13.6-1.55.amzn1.noarch
    emacs-git-el-2.13.6-1.55.amzn1.noarch
    git-cvs-2.13.6-1.55.amzn1.noarch
    perl-Git-SVN-2.13.6-1.55.amzn1.noarch

src:
    git-2.13.6-1.55.amzn1.src

x86_64:
    git-debuginfo-2.13.6-1.55.amzn1.x86_64
    git-2.13.6-1.55.amzn1.x86_64
    git-svn-2.13.6-1.55.amzn1.x86_64
    git-daemon-2.13.6-1.55.amzn1.x86_64