Security Issue (CVE-2017-1000117): Git, Subversion and Mercurial

A new version of Git has been released to address the following security vulnerability: CVE-2017-1000117.

This is an important issue-- A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the vulnerability.

This has been a coordinated release with Subversion and Mercurial that share a similar issue. CVE-2017-9800 and CVE-2017-1000116.

We have released all the affected containers and Helm charts for Kubernetes.

Containers:

• Discourse 1.8.4-2
• Codiad 2.8.4-1
• Redmine 3.4.2-2 
• Jenkins v1.73-1
• Phabricator 2017.30.0-0

Helm Charts:

• Redmine Helm Chart v1.2.4
• Jenkins Helm Chart v0.4.31
• Phabricator Helm Chart v0.4.15

We have released new versions of the applications that use any of these Source Code Management tools for all platforms:

• Gitlab 9.4.4
• ReviewBoard Plus Powerpack 2.5.13.1-2
• Redmine Plus Agile 3.4.2-1
• DreamFactory 2.8.0-2
• Subversion 1.9.7-1
• Redmine 3.4.2-1
• Phabricator 2017.32-0
• Codiad 2.8.4-1

We continue working on releasing all stacks that ship Git, Subversion or Mercurial.

If you can not update or migrate to a new version, the workaround would be to disable the “ssh://” protocol of your web application. GitLab shows you how to do this via their workaround.

Have questions about this security vulnerability for Bitnami solutions that ship Git, Subversion or Mercurial? Post to our Community Forum, and we will be happy to help you.