It was discovered that gitweb, the web interface for the Git version control system, contained several vulnerabilities: Remote attackers could use crafted requests to execute shell commands on the web server, using the snapshot generation and pickaxe search functionality (CVE-2008-5916). Local users with write access to the configuration of a Git repository served by gitweb could cause gitweb to execute arbitrary shell commands with the permission of the web server (CVE-2008-5516, CVE-2008-5517). For the stable distribution (etch), these problems have been fixed in version 1.4.4.4-4+etch1. For the unstable distribution (sid) and testing distribution (lenny), the remote shell command injection issue (CVE-2008-5516) has been fixed in version 1.5.6-1. The other issue will be fixed soon. We recommend that you upgrade your Git packages.
It was discovered that gitweb, the web interface for the Git version control system, contained several vulnerabilities:
Remote attackers could use crafted requests to execute shell commands on the web server, using the snapshot generation and pickaxe search functionality (CVE-2008-5916).
Local users with write access to the configuration of a Git repository served by gitweb could cause gitweb to execute arbitrary shell commands with the permission of the web server (CVE-2008-5516, CVE-2008-5517).
For the stable distribution (etch), these problems have been fixed in version 1.4.4.4-4+etch4.
For the unstable distribution (sid) and testing distribution (lenny), the remote shell command injection issue (CVE-2008-5516) has been fixed in version 1.5.6-1. The other issue will be fixed soon.
We recommend that you upgrade your Git packages.
MD5 checksums of the listed files are available in the original advisory.
Vulmon