A vulnerability was found in git concerning the git shell. A user who comes over SSH could run an interactive pager by causing it to spawn "git upload-pack --help". "git-shell" is a restricted login shell that can be used on a server to prevent SSH clients from running any programs except those needed for git fetches and pushes. If you are not running a server, or if your server has not been explicitly configured to use git-shell as a login shell, you are not affected. Upstream patch: https://kernel.googlesource.com/pub/scm/git/git/+/3ec804490a265f4c418a321428c12f3f18b7eff5 References: https://insinuator.net/2017/05/git-shell-bypass-by-abusing-less-cve-2017-8386/ http://public-inbox.org/git/xmqq8tm5ziat.fsf@gitster.mtv.corp.google.com/
Created git tracking bugs for this issue: Affects: fedora-all [bug 1450409] Affects: openshift-1 [bug 1450410]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2004 https://access.redhat.com/errata/RHSA-2017:2004
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2017:2491 https://access.redhat.com/errata/RHSA-2017:2491