openSUSE Security Update: Security update for cgit ______________________________________________________________________________ Announcement ID: openSUSE-SU-2015:1096-1 Rating: moderate References: #910756 Cross-References: CVE-2014-9390 Affected Products: openSUSE 13.2 openSUSE 13.1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: The git web frontend cgit was updated to 0.11.2 to fix security issues and bugs. The following vulnerabilities were fixed: * CVE-2014-9390: arbitrary command execution vulnerability on case-insensitive file systems in git. Malicious commits could affect client users on all platforms using case-insensitive file systems when using vulnerable git versions. In addition cgit was updated to 0.11.2 with minor improvements and bug fixes. The embedded git version was updated to 2.4.3. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.2: zypper in -t patch openSUSE-2015-436=1 - openSUSE 13.1: zypper in -t patch openSUSE-2015-436=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.2 (i586 x86_64): cgit-0.11.2-13.3.1 cgit-debuginfo-0.11.2-13.3.1 cgit-debugsource-0.11.2-13.3.1 - openSUSE 13.1 (i586 x86_64): cgit-0.11.2-11.3.1 cgit-debuginfo-0.11.2-11.3.1 cgit-debugsource-0.11.2-11.3.1 References: https://www.suse.com/security/cve/CVE-2014-9390.html https://bugzilla.suse.com/910756