If you use Git, it’s time to update it. Like, now. The latest version of the popular source management software addresses two frightening bugs, which could see an attacker execute their own arbitrary code on a victim’s computer, should the latter clone a malicious repository. The first bug has a CVE number of CVE-2018-11235, and was reported by security researcher Etienne Stalmans. This exploits a flaw in Git where sub-module names provided by the .gitmodule file are improperly validated when appended to $GIT_DIR/Modules. This leaves it open to a pretty standard directory hopping attack. Including “../” in a name could…
This story continues at The Next Web
via The Next Web https://ift.tt/2LJLjOH
Comments
Post a Comment