[3.5] libgit2: Multiple vulnerabilities (CVE-2016-10128, CVE-2016-10129, CVE-2016-10130)
CVE-2016-10128: smart_pkt: verify packet length exceeds PKT_LEN_SIZE
Fixed In Version:
libgit2 0.25.1, libgit2 0.24.6
References:
http://seclists.org/oss-sec/2017/q1/59
https://github.com/libgit2/libgit2/releases/tag/v0.24.6
Patch:
https://github.com/libgit2/libgit2/commit/4ac39c76c0153d1ee6889a0984c39e97731684b2
CVE-2016-10129: smart_pkt: treat empty packet lines as error
Fixed In Version:
libgit2 0.25.1, libgit2 0.24.6
References:
http://seclists.org/oss-sec/2017/q1/59
https://github.com/libgit2/libgit2/releases/tag/v0.24.6
Patch:
https://github.com/libgit2/libgit2/commit/84d30d569ada986f3eef527cbdb932643c2dd037
CVE-2016-10130: http: check certificate validity before clobbering the error variable
Fixed In Version:
libgit2 0.25.1, libgit2 0.24.6
References:
http://seclists.org/oss-sec/2017/q1/59
https://github.com/libgit2/libgit2/releases/tag/v0.24.6
Patch:
https://github.com/libgit2/libgit2/commit/b5c6a1b407b7f8b952bded2789593b68b1876211
(from redmine: issue id 6740, created on 2017-01-25, closed on 2017-01-28)
- Relations:
- parent #6738 (closed)
- Changesets:
- Revision 322e4dec by Sergei Lukin on 2017-01-26T13:27:59Z:
main/libgit2: security upgrade to 0.24.6 - fixes #6740
CVE-2016-10128: smart_pkt: verify packet length exceeds PKT_LEN_SIZE
CVE-2016-10129: smart_pkt: treat empty packet lines as error
CVE-2016-10130: http: check certificate validity before clobbering the error variable