Security update for git SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0123-1 Final 1 1 2020-01-29T05:11:28Z current 2020-01-29T05:11:28Z 2020-01-29T05:11:28Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for git This update for git fixes the following issues: Security issues fixed: - CVE-2019-1349: Fixed issue on Windows, when submodules are cloned recursively, under certain circumstances Git could be fooled into using the same Git directory twice (bsc#1158787). - CVE-2019-19604: Fixed a recursive clone followed by a submodule update could execute code contained within the repository without the user explicitly having asked for that (bsc#1158795). - CVE-2019-1387: Fixed recursive clones that are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones (bsc#1158793). - CVE-2019-1354: Fixed issue on Windows that refuses to write tracked files with filenames that contain backslashes (bsc#1158792). - CVE-2019-1353: Fixed issue when run in the Windows Subsystem for Linux while accessing a working directory on a regular Windows drive, none of the NTFS protections were active (bsc#1158791). - CVE-2019-1352: Fixed issue on Windows was unaware of NTFS Alternate Data Streams (bsc#1158790). - CVE-2019-1351: Fixed issue on Windows mistakes drive letters outside of the US-English alphabet as relative paths (bsc#1158789). - CVE-2019-1350: Fixed incorrect quoting of command-line arguments allowed remote code execution during a recursive clone in conjunction with SSH URLs (bsc#1158788). - CVE-2019-1348: Fixed the --export-marks option of fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths (bsc#1158785). - Fixes an issue where git send-email failed to authenticate with SMTP server (bsc#1082023) Bug fixes: - Add zlib dependency, which used to be provided by openssl-devel, so that package can compile successfully after openssl upgrade to 1.1.1. (bsc#1149792). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-123 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MGTC3VP4MCFQ5HPSFYOHMPVGOI32A7EM/ E-Mail link for openSUSE-SU-2020:0123-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1082023 SUSE Bug 1082023 https://bugzilla.suse.com/1149792 SUSE Bug 1149792 https://bugzilla.suse.com/1158785 SUSE Bug 1158785 https://bugzilla.suse.com/1158787 SUSE Bug 1158787 https://bugzilla.suse.com/1158788 SUSE Bug 1158788 https://bugzilla.suse.com/1158789 SUSE Bug 1158789 https://bugzilla.suse.com/1158790 SUSE Bug 1158790 https://bugzilla.suse.com/1158791 SUSE Bug 1158791 https://bugzilla.suse.com/1158792 SUSE Bug 1158792 https://bugzilla.suse.com/1158793 SUSE Bug 1158793 https://bugzilla.suse.com/1158795 SUSE Bug 1158795 https://www.suse.com/security/cve/CVE-2019-1348/ SUSE CVE CVE-2019-1348 page https://www.suse.com/security/cve/CVE-2019-1349/ SUSE CVE CVE-2019-1349 page https://www.suse.com/security/cve/CVE-2019-1350/ SUSE CVE CVE-2019-1350 page https://www.suse.com/security/cve/CVE-2019-1351/ SUSE CVE CVE-2019-1351 page https://www.suse.com/security/cve/CVE-2019-1352/ SUSE CVE CVE-2019-1352 page https://www.suse.com/security/cve/CVE-2019-1353/ SUSE CVE CVE-2019-1353 page https://www.suse.com/security/cve/CVE-2019-1354/ SUSE CVE CVE-2019-1354 page https://www.suse.com/security/cve/CVE-2019-1387/ SUSE CVE CVE-2019-1387 page https://www.suse.com/security/cve/CVE-2019-19604/ SUSE CVE CVE-2019-19604 page openSUSE Leap 15.1 git-2.16.4-lp151.4.3.1 git-arch-2.16.4-lp151.4.3.1 git-core-2.16.4-lp151.4.3.1 git-credential-gnome-keyring-2.16.4-lp151.4.3.1 git-credential-libsecret-2.16.4-lp151.4.3.1 git-cvs-2.16.4-lp151.4.3.1 git-daemon-2.16.4-lp151.4.3.1 git-doc-2.16.4-lp151.4.3.1 git-email-2.16.4-lp151.4.3.1 git-gui-2.16.4-lp151.4.3.1 git-p4-2.16.4-lp151.4.3.1 git-svn-2.16.4-lp151.4.3.1 git-web-2.16.4-lp151.4.3.1 gitk-2.16.4-lp151.4.3.1 perl-Authen-SASL-2.16-lp151.3.3.1 perl-Net-SMTP-SSL-1.04-lp151.3.3.1 git-2.16.4-lp151.4.3.1 as a component of openSUSE Leap 15.1 git-arch-2.16.4-lp151.4.3.1 as a component of openSUSE Leap 15.1 git-core-2.16.4-lp151.4.3.1 as a component of openSUSE Leap 15.1 git-credential-gnome-keyring-2.16.4-lp151.4.3.1 as a component of openSUSE Leap 15.1 git-credential-libsecret-2.16.4-lp151.4.3.1 as a component of openSUSE Leap 15.1 git-cvs-2.16.4-lp151.4.3.1 as a component of openSUSE Leap 15.1 git-daemon-2.16.4-lp151.4.3.1 as a component of openSUSE Leap 15.1 git-doc-2.16.4-lp151.4.3.1 as a component of openSUSE Leap 15.1 git-email-2.16.4-lp151.4.3.1 as a component of openSUSE Leap 15.1 git-gui-2.16.4-lp151.4.3.1 as a component of openSUSE Leap 15.1 git-p4-2.16.4-lp151.4.3.1 as a component of openSUSE Leap 15.1 git-svn-2.16.4-lp151.4.3.1 as a component of openSUSE Leap 15.1 git-web-2.16.4-lp151.4.3.1 as a component of openSUSE Leap 15.1 gitk-2.16.4-lp151.4.3.1 as a component of openSUSE Leap 15.1 perl-Authen-SASL-2.16-lp151.3.3.1 as a component of openSUSE Leap 15.1 perl-Net-SMTP-SSL-1.04-lp151.3.3.1 as a component of openSUSE Leap 15.1 An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. The --export-marks option of git fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths. CVE-2019-1348 openSUSE Leap 15.1:git-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-arch-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-core-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-credential-gnome-keyring-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-credential-libsecret-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-cvs-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-daemon-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-doc-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-email-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-gui-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-p4-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-svn-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-web-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:gitk-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:perl-Authen-SASL-2.16-lp151.3.3.1 openSUSE Leap 15.1:perl-Net-SMTP-SSL-1.04-lp151.3.3.1 low 3.6 AV:L/AC:L/Au:N/C:N/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MGTC3VP4MCFQ5HPSFYOHMPVGOI32A7EM/ https://www.suse.com/security/cve/CVE-2019-1348.html CVE-2019-1348 https://bugzilla.suse.com/1158785 SUSE Bug 1158785 A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1350, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387. CVE-2019-1349 openSUSE Leap 15.1:git-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-arch-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-core-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-credential-gnome-keyring-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-credential-libsecret-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-cvs-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-daemon-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-doc-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-email-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-gui-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-p4-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-svn-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-web-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:gitk-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:perl-Authen-SASL-2.16-lp151.3.3.1 openSUSE Leap 15.1:perl-Net-SMTP-SSL-1.04-lp151.3.3.1 critical 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MGTC3VP4MCFQ5HPSFYOHMPVGOI32A7EM/ https://www.suse.com/security/cve/CVE-2019-1349.html CVE-2019-1349 https://bugzilla.suse.com/1158785 SUSE Bug 1158785 https://bugzilla.suse.com/1158787 SUSE Bug 1158787 A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1349, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387. CVE-2019-1350 openSUSE Leap 15.1:git-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-arch-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-core-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-credential-gnome-keyring-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-credential-libsecret-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-cvs-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-daemon-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-doc-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-email-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-gui-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-p4-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-svn-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-web-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:gitk-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:perl-Authen-SASL-2.16-lp151.3.3.1 openSUSE Leap 15.1:perl-Net-SMTP-SSL-1.04-lp151.3.3.1 critical 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MGTC3VP4MCFQ5HPSFYOHMPVGOI32A7EM/ https://www.suse.com/security/cve/CVE-2019-1350.html CVE-2019-1350 https://bugzilla.suse.com/1158785 SUSE Bug 1158785 https://bugzilla.suse.com/1158788 SUSE Bug 1158788 A tampering vulnerability exists when Git for Visual Studio improperly handles virtual drive paths, aka 'Git for Visual Studio Tampering Vulnerability'. CVE-2019-1351 openSUSE Leap 15.1:git-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-arch-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-core-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-credential-gnome-keyring-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-credential-libsecret-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-cvs-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-daemon-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-doc-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-email-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-gui-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-p4-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-svn-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-web-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:gitk-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:perl-Authen-SASL-2.16-lp151.3.3.1 openSUSE Leap 15.1:perl-Net-SMTP-SSL-1.04-lp151.3.3.1 important 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MGTC3VP4MCFQ5HPSFYOHMPVGOI32A7EM/ https://www.suse.com/security/cve/CVE-2019-1351.html CVE-2019-1351 https://bugzilla.suse.com/1158785 SUSE Bug 1158785 https://bugzilla.suse.com/1158789 SUSE Bug 1158789 A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1349, CVE-2019-1350, CVE-2019-1354, CVE-2019-1387. CVE-2019-1352 openSUSE Leap 15.1:git-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-arch-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-core-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-credential-gnome-keyring-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-credential-libsecret-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-cvs-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-daemon-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-doc-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-email-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-gui-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-p4-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-svn-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-web-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:gitk-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:perl-Authen-SASL-2.16-lp151.3.3.1 openSUSE Leap 15.1:perl-Net-SMTP-SSL-1.04-lp151.3.3.1 critical 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MGTC3VP4MCFQ5HPSFYOHMPVGOI32A7EM/ https://www.suse.com/security/cve/CVE-2019-1352.html CVE-2019-1352 https://bugzilla.suse.com/1158785 SUSE Bug 1158785 https://bugzilla.suse.com/1158787 SUSE Bug 1158787 https://bugzilla.suse.com/1158790 SUSE Bug 1158790 An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as "WSL") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active. CVE-2019-1353 openSUSE Leap 15.1:git-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-arch-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-core-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-credential-gnome-keyring-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-credential-libsecret-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-cvs-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-daemon-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-doc-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-email-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-gui-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-p4-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-svn-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-web-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:gitk-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:perl-Authen-SASL-2.16-lp151.3.3.1 openSUSE Leap 15.1:perl-Net-SMTP-SSL-1.04-lp151.3.3.1 critical 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MGTC3VP4MCFQ5HPSFYOHMPVGOI32A7EM/ https://www.suse.com/security/cve/CVE-2019-1353.html CVE-2019-1353 https://bugzilla.suse.com/1158785 SUSE Bug 1158785 https://bugzilla.suse.com/1158791 SUSE Bug 1158791 A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1349, CVE-2019-1350, CVE-2019-1352, CVE-2019-1387. CVE-2019-1354 openSUSE Leap 15.1:git-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-arch-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-core-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-credential-gnome-keyring-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-credential-libsecret-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-cvs-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-daemon-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-doc-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-email-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-gui-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-p4-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-svn-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-web-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:gitk-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:perl-Authen-SASL-2.16-lp151.3.3.1 openSUSE Leap 15.1:perl-Net-SMTP-SSL-1.04-lp151.3.3.1 low 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MGTC3VP4MCFQ5HPSFYOHMPVGOI32A7EM/ https://www.suse.com/security/cve/CVE-2019-1354.html CVE-2019-1354 https://bugzilla.suse.com/1158785 SUSE Bug 1158785 https://bugzilla.suse.com/1158792 SUSE Bug 1158792 An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones. CVE-2019-1387 openSUSE Leap 15.1:git-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-arch-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-core-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-credential-gnome-keyring-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-credential-libsecret-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-cvs-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-daemon-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-doc-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-email-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-gui-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-p4-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-svn-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-web-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:gitk-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:perl-Authen-SASL-2.16-lp151.3.3.1 openSUSE Leap 15.1:perl-Net-SMTP-SSL-1.04-lp151.3.3.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MGTC3VP4MCFQ5HPSFYOHMPVGOI32A7EM/ https://www.suse.com/security/cve/CVE-2019-1387.html CVE-2019-1387 https://bugzilla.suse.com/1158785 SUSE Bug 1158785 https://bugzilla.suse.com/1158793 SUSE Bug 1158793 Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository. CVE-2019-19604 openSUSE Leap 15.1:git-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-arch-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-core-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-credential-gnome-keyring-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-credential-libsecret-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-cvs-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-daemon-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-doc-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-email-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-gui-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-p4-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-svn-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:git-web-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:gitk-2.16.4-lp151.4.3.1 openSUSE Leap 15.1:perl-Authen-SASL-2.16-lp151.3.3.1 openSUSE Leap 15.1:perl-Net-SMTP-SSL-1.04-lp151.3.3.1 critical 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MGTC3VP4MCFQ5HPSFYOHMPVGOI32A7EM/ https://www.suse.com/security/cve/CVE-2019-19604.html CVE-2019-19604 https://bugzilla.suse.com/1158785 SUSE Bug 1158785 https://bugzilla.suse.com/1158795 SUSE Bug 1158795