A bug in present in git-daemon since 1.4.4.5 can cause a denial of service by sending the git-daemon process into an infinite loop.  This is discussed in the git list thread starting at:

    http://thread.gmane.org/gmane.comp.version-control.git/120724

The fix was applied the maint branch and can be seen at:

    http://git.kernel.org/?p=git/git.git;a=commitdiff;h=73bb33a9

I posted about this to fedora-security-list a day or so ago:

    http://www.redhat.com/archives/fedora-security-list/2009-June/msg00000.html

Of the active Fedora/EPEL branches, only devel and F-11 are recent
enough for this to apply cleanly.  The other branches required a small
amount of reworking to account for changes made to git-daemon since
the releases those branches were based upon.  I don't think the
backporting is all that difficult, but I am not a strong C coder.  Any
extra eyes on my backported patches would be most helpful.

A simple way to test this against a git server, taken from the initial
patch in the git list thread above:

$ perl -e '
    $s="git-upload-pack git\0user=me\0host=localhost\0";
    printf "%4.4x%s",4+length $s,$s
' | nc $GITHOST 9418 # or git-daemon --inetd --base-path=`pwd` --export-all

This will cause the git-daemon process spawned via xinetd to enter an
infinite loop.  New requests will still be handled, as xinetd will
spawn a new git-daemon process.  But, of course, an attacker can
easily cause many git-daemon processes to be started that will not
exit.

I've created patched packages with the backported patch for EL-{4,5}
and F-10 (F-9 is in sync with F-10, so the same spec/srpm should work
there).  These packages and patches against current CVS are at:

    http://tmz.fedorapeople.org/tmp/git-daemon-extra-args/

(Apologies for the minor non-related changes in some of the diffs, as
those were changes I had slated for release soon and didn't want to
revert at the last minute.)