-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2010:256 http://www.mandriva.com/security/ _______________________________________________________________________ Package : git Date : December 16, 2010 Affected: 2010.0, 2010.1 _______________________________________________________________________ Problem Description: A vulnerability was discovered and corrected in git (gitweb): A cross-site scripting (XSS) vulnerability in Gitweb 1.7.3.3 and previous versions allows remote attackers to inject arbitrary web script or HTML code via f and fp variables (CVE-2010-3906). The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3906 _______________________________________________________________________ Updated Packages: Mandriva Linux 2010.0: 15c6c8e663e112968a98f67243d4165c 2010.0/i586/git-1.6.4.4-6.2mdv2010.0.i586.rpm ea519ed2c9e56e0594c0771107356732 2010.0/i586/git-arch-1.6.4.4-6.2mdv2010.0.i586.rpm 895446404fa0dfce5d19144671ed1d58 2010.0/i586/git-core-1.6.4.4-6.2mdv2010.0.i586.rpm e1ab40047940ba28c6c0c9a5a68277ea 2010.0/i586/git-core-oldies-1.6.4.4-6.2mdv2010.0.i586.rpm b5fca4236ba01fb8fc0d6e40dd74eeda 2010.0/i586/git-cvs-1.6.4.4-6.2mdv2010.0.i586.rpm d6026b630526334ace8a9420b8cd1dc9 2010.0/i586/git-email-1.6.4.4-6.2mdv2010.0.i586.rpm 1d2ab4948d75bfb7af68bcd6de18a79e 2010.0/i586/gitk-1.6.4.4-6.2mdv2010.0.i586.rpm e000cbff804e4bb6dced1dfd15678d98 2010.0/i586/git-prompt-1.6.4.4-6.2mdv2010.0.i586.rpm fce22e0903d3dc13755d05ec1dcd7358 2010.0/i586/git-svn-1.6.4.4-6.2mdv2010.0.i586.rpm 2b9a48fb82d2521fce11d2eab51298b8 2010.0/i586/gitview-1.6.4.4-6.2mdv2010.0.i586.rpm 0e3f625e4b886577abce568a7db75da0 2010.0/i586/gitweb-1.6.4.4-6.2mdv2010.0.i586.rpm fe80f6e5e4db38dec9b8334378dc0e14 2010.0/i586/libgit-devel-1.6.4.4-6.2mdv2010.0.i586.rpm f2710d68e2c0290fa2b22000cef76a3f 2010.0/i586/perl-Git-1.6.4.4-6.2mdv2010.0.i586.rpm 730c9b5525ac0e2da39f8ef32a1498cd 2010.0/SRPMS/git-1.6.4.4-6.2mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: a3afd97e663cb90681d50139edce49c7 2010.0/x86_64/git-1.6.4.4-6.2mdv2010.0.x86_64.rpm 12e76316c218b3d083d950d57a8194af 2010.0/x86_64/git-arch-1.6.4.4-6.2mdv2010.0.x86_64.rpm 92675ada81afedbad206f9c680210bef 2010.0/x86_64/git-core-1.6.4.4-6.2mdv2010.0.x86_64.rpm 9af754c3e680fd22802238f0cf583584 2010.0/x86_64/git-core-oldies-1.6.4.4-6.2mdv2010.0.x86_64.rpm 4ee453fd305589d3c64ffbd164eea546 2010.0/x86_64/git-cvs-1.6.4.4-6.2mdv2010.0.x86_64.rpm d9325cbbec0fb01f00b90cc159f2af2c 2010.0/x86_64/git-email-1.6.4.4-6.2mdv2010.0.x86_64.rpm 87be13e1d689c930b1af08c1ed3d904f 2010.0/x86_64/gitk-1.6.4.4-6.2mdv2010.0.x86_64.rpm 3962c77c3076c3b549d59ab1d4788586 2010.0/x86_64/git-prompt-1.6.4.4-6.2mdv2010.0.x86_64.rpm 508ce5a1e7532bf1241cce30248b1787 2010.0/x86_64/git-svn-1.6.4.4-6.2mdv2010.0.x86_64.rpm 3f0ea846c90614d0cccb6fc5a5d0e133 2010.0/x86_64/gitview-1.6.4.4-6.2mdv2010.0.x86_64.rpm 879caf7d5367b1cf6d09a0fb73c73e0d 2010.0/x86_64/gitweb-1.6.4.4-6.2mdv2010.0.x86_64.rpm f6d384b435e7f40a247e5c39cfc13bc5 2010.0/x86_64/lib64git-devel-1.6.4.4-6.2mdv2010.0.x86_64.rpm af291198629803300cf20d660eecb976 2010.0/x86_64/perl-Git-1.6.4.4-6.2mdv2010.0.x86_64.rpm 730c9b5525ac0e2da39f8ef32a1498cd 2010.0/SRPMS/git-1.6.4.4-6.2mdv2010.0.src.rpm Mandriva Linux 2010.1: 62eb011ee3b83954a7507ecca7b7a4ca 2010.1/i586/git-1.7.1-1.2mdv2010.1.i586.rpm 1dab4de8f3ecb6707863b0175e96d29e 2010.1/i586/git-arch-1.7.1-1.2mdv2010.1.i586.rpm e4441bda2654842a96a65d4ca3cf8015 2010.1/i586/git-core-1.7.1-1.2mdv2010.1.i586.rpm 491f4f4bbd1c1f02c6cf7f87b73a82c0 2010.1/i586/git-core-oldies-1.7.1-1.2mdv2010.1.i586.rpm 8533935734290a831f0f4214726eab0c 2010.1/i586/git-cvs-1.7.1-1.2mdv2010.1.i586.rpm fb98b059578c98a512de02d4949571a6 2010.1/i586/git-email-1.7.1-1.2mdv2010.1.i586.rpm cacb3c8b70b9e96084db260d1dda3d10 2010.1/i586/gitk-1.7.1-1.2mdv2010.1.i586.rpm 3c7b76d7f637d53ba45554fbff24823b 2010.1/i586/git-prompt-1.7.1-1.2mdv2010.1.i586.rpm 0a304d8e50e7a9e57b69db4ab74af45c 2010.1/i586/git-svn-1.7.1-1.2mdv2010.1.i586.rpm 9eb13c3489600816342700b7b2b32c96 2010.1/i586/gitview-1.7.1-1.2mdv2010.1.i586.rpm 3f1df41a0701012b68652d956a631bed 2010.1/i586/gitweb-1.7.1-1.2mdv2010.1.i586.rpm 1bc26d6014ac921ef984bb24f7f6e3fc 2010.1/i586/libgit-devel-1.7.1-1.2mdv2010.1.i586.rpm fe5ad73829671056af9e74cf93447a51 2010.1/i586/perl-Git-1.7.1-1.2mdv2010.1.i586.rpm 117bb2fbc9c76897eab3a259710a7dda 2010.1/i586/python-git-1.7.1-1.2mdv2010.1.i586.rpm 0768add7131acc7c4534b0004bf6ad25 2010.1/SRPMS/git-1.7.1-1.2mdv2010.1.src.rpm Mandriva Linux 2010.1/X86_64: 998a1b44740e7e9e60028fd729274fd2 2010.1/x86_64/git-1.7.1-1.2mdv2010.1.x86_64.rpm 0aa52b00cac453776c38f8cd0fb37dce 2010.1/x86_64/git-arch-1.7.1-1.2mdv2010.1.x86_64.rpm 8fe9b7defaf8a77854e5062836d31eab 2010.1/x86_64/git-core-1.7.1-1.2mdv2010.1.x86_64.rpm f506180c659e39e7e362e06d78e9238e 2010.1/x86_64/git-core-oldies-1.7.1-1.2mdv2010.1.x86_64.rpm 6719358a0794081832c1c99914967337 2010.1/x86_64/git-cvs-1.7.1-1.2mdv2010.1.x86_64.rpm 4ab39ebc290ad406e2c69ee7ec14077d 2010.1/x86_64/git-email-1.7.1-1.2mdv2010.1.x86_64.rpm b4c55fc40c14613cc337ca4e81d77c02 2010.1/x86_64/gitk-1.7.1-1.2mdv2010.1.x86_64.rpm 73ac288d7009a3d019471514041abc23 2010.1/x86_64/git-prompt-1.7.1-1.2mdv2010.1.x86_64.rpm 6241fd94af141a2bea309dfda63b7477 2010.1/x86_64/git-svn-1.7.1-1.2mdv2010.1.x86_64.rpm 9e326c5e23ebaf27918ec0cb592ba19d 2010.1/x86_64/gitview-1.7.1-1.2mdv2010.1.x86_64.rpm 6e4181a2d8e2fdbe31a780921315d500 2010.1/x86_64/gitweb-1.7.1-1.2mdv2010.1.x86_64.rpm c47525f2a161cdac7ae7ee0ad1934f5f 2010.1/x86_64/lib64git-devel-1.7.1-1.2mdv2010.1.x86_64.rpm a82c1d8a46096294a8ec61bfbabbb9b7 2010.1/x86_64/perl-Git-1.7.1-1.2mdv2010.1.x86_64.rpm 556861e62fd203b4ebff5384a5c58529 2010.1/x86_64/python-git-1.7.1-1.2mdv2010.1.x86_64.rpm 0768add7131acc7c4534b0004bf6ad25 2010.1/SRPMS/git-1.7.1-1.2mdv2010.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFNCfA6mqjQ0CJFipgRAvxBAJ4iyT8rF6LbDh3GCg7VylsZDJ3z/QCfQzUw o2PiVM7Yh0revxCGtWskmho= =A0ET -----END PGP SIGNATURE-----