Debian Linux Security Advisory 3984-1 - joernchen discovered that the git-cvsserver subcommand of Git, a distributed version control system, suffers from a shell command injection vulnerability due to unsafe use of the Perl backtick operator. The git-cvsserver subcommand is reachable from the git-shell subcommand even if CVS support has not been configured (however, the git-cvs package needs to be installed).
45c5b391bc95f3cc52114ee4a0b69f4f29bc0b3cde6352f0143c59740c21e65f