Bug 229217 - devel/git vulnerable to CVE-2018-11233 and CVE-2018-11235 in 2018Q2
Summary: devel/git vulnerable to CVE-2018-11233 and CVE-2018-11235 in 2018Q2
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Renato Botelho
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-06-21 18:17 UTC by Danny McGrath
Modified: 2018-06-22 11:24 UTC (History)
0 users

See Also:
bugzilla: maintainer-feedback? (garga)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Danny McGrath 2018-06-21 18:17:20 UTC 
Hi,

I was just wondering if perhaps I missed something, or there is a bug in my poudriere, but is it really the case that git has been vulnerable for 2 CVE's for a few weeks now? Any plans to patch it in Q2 (as opposed to waiting for Q3)?

Thanks!

git-2.16.3 is vulnerable:
Git -- Fix memory out-of-bounds and remote code execution vulnerabilities (CVE-2018-11233 and CVE-2018-11235)
CVE: CVE-2018-11235
CVE: CVE-2018-11233
WWW: https://vuxml.FreeBSD.org/freebsd/c7a135f4-66a4-11e8-9e63-3085a9a47796.html
Comment 1 commit-hook freebsd_committer freebsd_triage 2018-06-22 11:11:25 UTC 
A commit references this bug:

Author: garga
Date: Fri Jun 22 11:10:50 UTC 2018
New revision: 473031
URL: https://svnweb.freebsd.org/changeset/ports/473031

Log:
  Update devel/git to 2.16.4

  PR:		229217
  Submitted by:	Dan McGrath <danmcgrath.ca@gmail.com>
  Approved by:	ports-secteam (miwi)
  Security:	CVE-2018-11233 CVE-2018-11235
  Sponsored by:	Rubicon Communications, LLC (Netgate)

Changes:
  branches/2018Q2/devel/git/Makefile
  branches/2018Q2/devel/git/distinfo
  branches/2018Q2/devel/git/pkg-plist