This is an important issue-- A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the vulnerability.
This has been a coordinated release with Subversion and Mercurial that share a similar issue. CVE-2017-9800 and CVE-2017-1000116.
We have released all the affected containers and Helm charts for Kubernetes.
Containers:
Helm Charts:
We have released new versions of the applications that use any of these Source Code Management tools for all platforms:
If you can not update or migrate to a new version, the workaround would be to disable the “ssh://” protocol of your web application. GitLab shows you how to do this via their workaround.
Have questions about this security vulnerability for Bitnami solutions that ship Git, Subversion or Mercurial? Post to our Community Forum, and we will be happy to help you.