ELA-700-1 git security update
Package git
ELA-700-1 git security update
Version 1:2.1.4-2.1+deb8u11 (jessie), 1:2.11.0-3+deb9u8 (stretch)
Related CVEs CVE-2021-21300 CVE-2021-40330
Several security vulnerabilities have been discovered in Git, a fast, scalable, distributed revision control system, which may affect multi-user systems.
CVE-2021-21300
A specially crafted repository that contains symbolic links as well as
files using a clean/smudge filter such as Git LFS, may cause just-checked
out script to be executed while cloning onto a case-insensitive file system
such as NTFS, HFS+ or APFS (i.e. the default file systems on Windows and
macOS).
CVE-2021-40330
git_connect_git in connect.c allows a repository path to contain a newline
character, which may result in unexpected cross-protocol requests, as
demonstrated by the git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1
substring.
For Debian 8 jessie, these problems have been fixed in version 1:2.1.4-2.1+deb8u11.
For Debian 9 stretch, these problems have been fixed in version 1:2.11.0-3+deb9u8.
We recommend that you upgrade your git packages.
Further information about Extended LTS security advisories can be found at: debian Extended Long term support
A git security update has been released for Debian GNU/Linux 8 and 9 Extended LTS to address several security vulnerabilities.