Git remote execution vulnerability on all distributed versions up to 2.7.1
Re: server and client side remote code execution through a buffer overflow in all git versions before 2.7.1 (unpublished CVE-2016-2324 and CVE\xe2\x80\x912016\xe2\x80\x912315) From: La胠 Cellier <lael.cellier () laposte net> Date: Wed, 16 Mar 2016 11:47:31 +0100 Oh.............................. Big mistake. I might advertised too soon. I saw changes were pushed in master, so I thought the next version (which was 2.7.1) would be the one which will include the fix. But as pointed out on https://security-tracker.debian.org/tracker/CVE-2016-2324 no versions including the fixes were released yet, and even 2.7.3 still include path_name(). I didn't checked the code (Sorrrry). So the only way to fix it is to draw your compilers and compile the current master branch at https://git.kernel.org/cgit/git/git.git/. Or do like github did by using the patches at http://thread.gmane.org/gmane.comp.version-control.git/286253 and http://thread.gmane.org/gmane.comp.version-control.git/286008 I'm really sorry...
Current upstream version in Devuan: 2.1.4 VULNERABLE
Fork and apply the patches? That's a big jump from 2.1.4 to 2.7.3. Ceres, though, has 2.7.0, so it should be OK.