科技回声

8 条评论

Mojah大约 9 年前

A couple of thoughts on the potential impact: <a href="https://ma.ttias.be/remote-code-execution-git-versions-client-server-2-7-1-cve-2016-2324-cve-2016%E2%80%912315/" rel="nofollow">https://ma.ttias.be/remote-code-execution-git-versions-clien...</a><p>Server-side: github & bitbucket will get patched quickly, if they're even still vulnerable. Self-hosted installations like Gitlab will be more difficult, as it requires sysadmins to patch themselves. History has thought us this takes too long.<p>Client-side: possibly the biggest impact, as nearly every Linux distribution ships vulnerable versions. Any kind of local system user activity could trigger the RCE. Technically, that includes any PHP, Ruby or Python site that allows shell commands to be executed - which, by default, they nearly all do.<p>It has all the potential to be huge.

评论 #11294176 未加载

评论 #11293974 未加载

krallin大约 9 年前

Note: if you're using Ubuntu, there is a semi-official PPA that has a non-vulnerable version (2.7.3): <a href="https://launchpad.net/~git-core/+archive/ubuntu/ppa" rel="nofollow">https://launchpad.net/~git-core/+archive/ubuntu/ppa</a>

评论 #11293847 未加载

mappu大约 9 年前

Times like this i'm glad i'm still on Mercurial (no `strcpy` overflows in Python). Is anyone planning on writing a DVCS in Rust?

评论 #11294568 未加载

评论 #11294516 未加载

评论 #11294634 未加载

sergioocon大约 9 年前

<a href="https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2315" rel="nofollow">https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2315</a>

0x0大约 9 年前

Sounds like this could be a big deal for bitbucket.org and gitlab.com? Esp. considering private repositories there.

评论 #11293983 未加载

koleslaw大约 9 年前

BitBucket Cloud is currently on Git 2.1.1.1.g1fb337f (Version Info link in the footer <a href="https://bitbucket.org/support" rel="nofollow">https://bitbucket.org/support</a>). Anyone know what about GitHub?

Mojah大约 9 年前

Public mirror here if the official ones go down: <a href="https://marc.ttias.be/oss-security/2016-03/msg00180.php" rel="nofollow">https://marc.ttias.be/oss-security/2016-03/msg00180.php</a>

swiley大约 9 年前

Git kind of implies that you're going to execute something from the remote end anyway so it's not something like hartbleed....

评论 #11293258 未加载

8 条评论

Mojah大约 9 年前

评论 #11294176 未加载

评论 #11293974 未加载

krallin大约 9 年前

评论 #11293847 未加载

mappu大约 9 年前

Times like this i'm glad i'm still on Mercurial (no `strcpy` overflows in Python). Is anyone planning on writing a DVCS in Rust?

评论 #11294568 未加载

评论 #11294516 未加载

评论 #11294634 未加载

sergioocon大约 9 年前

<a href="https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2315" rel="nofollow">https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2315</a>

0x0大约 9 年前

Sounds like this could be a big deal for bitbucket.org and gitlab.com? Esp. considering private repositories there.

评论 #11293983 未加载

koleslaw大约 9 年前

Mojah大约 9 年前

Public mirror here if the official ones go down: <a href="https://marc.ttias.be/oss-security/2016-03/msg00180.php" rel="nofollow">https://marc.ttias.be/oss-security/2016-03/msg00180.php</a>

swiley大约 9 年前

Git kind of implies that you're going to execute something from the remote end anyway so it's not something like hartbleed....

评论 #11293258 未加载

Server and Client RCE in Git version 2.7.1 and below

8 条评论

Server and Client RCE in Git version 2.7.1 and below

8 条评论