Hello Chris, On Mon, 20 Mar 2017, Chris Lamb wrote: > the Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of git: > https://security-tracker.debian.org/tracker/source-package/git > > Would you like to take care of this yourself?
Did you check whether the package was affected? I tried to checkout https://github.com/njhartwell/pw3nage while having bash-completion loaded and with a PS1 containing $(__git_ps1 2>/dev/null) or $(__git_ps1 " (%s)") and was unable to get any code execution. I'm not sure when the vulnerability was introduced but it looks like that 1.7.10.4-1+wheezy3 is not affected at least when using bash. Can someone else double check? For zsh, I'm not sure either. I tried to run it and to set PS1 as documented: PS1='[%n@%m %c$(__git_ps1 " (%s)")]\$ ' But here the $(...) part is not even replaced. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
