openSUSE Security Update: Fixing two git vulnerabilities (CVE-2010-3906, CVE-2010-2542). ______________________________________________________________________________ Announcement ID: openSUSE-SU-2011:0115-1 Rating: moderate References: #624586 #659281 Cross-References: CVE-2010-2542 CVE-2010-3906 Affected Products: openSUSE 11.3 openSUSE 11.2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update fixes two vulnerabilities: XSS vulnerability in gitweb; a remote attacker could craft an URL such that arbitrary content would be inserted to the generated web page. Stack overflow vulnerability that can lead to arbitrary code execution if user runs any git command on a specially crafted git working copy. Security Issue references: - [CVE-2010-3906](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-3906) - [CVE-2010-2542](http://cve.mitre.org/cgi-bin/cvename.cgi?nam e=CVE-2010-2542) Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.3: zypper in -t patch git-3832 - openSUSE 11.2: zypper in -t patch git-3831 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.3 (i586 x86_64): git-1.7.1-2.3.1 git-arch-1.7.1-2.3.1 git-core-1.7.1-2.3.1 git-cvs-1.7.1-2.3.1 git-daemon-1.7.1-2.3.1 git-email-1.7.1-2.3.1 git-gui-1.7.1-2.3.1 git-remote-helpers-1.7.1-2.3.1 git-svn-1.7.1-2.3.1 git-web-1.7.1-2.3.1 gitk-1.7.1-2.3.1 - openSUSE 11.2 (i586 x86_64): git-1.6.4.2-3.5.1 git-arch-1.6.4.2-3.5.1 git-core-1.6.4.2-3.5.1 git-cvs-1.6.4.2-3.5.1 git-daemon-1.6.4.2-3.5.1 git-email-1.6.4.2-3.5.1 git-gui-1.6.4.2-3.5.1 git-svn-1.6.4.2-3.5.1 git-web-1.6.4.2-3.5.1 gitk-1.6.4.2-3.5.1 References: http://support.novell.com/security/cve/CVE-2010-2542.html http://support.novell.com/security/cve/CVE-2010-3906.html https://bugzilla.novell.com/624586 https://bugzilla.novell.com/659281