Security update for libgit2

Announcement ID:	SUSE-SU-2018:4009-1
Rating:	important
References:	bsc#1110949 bsc#1114729
Cross-References:	CVE-2018-17456
CVSS scores:	CVE-2018-17456 ( SUSE ): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2018-17456 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:	Development Tools Module 15 SUSE Linux Enterprise Desktop 15 SUSE Linux Enterprise High Performance Computing 15 SUSE Linux Enterprise Server 15 SUSE Linux Enterprise Server for SAP Applications 15

An update that solves one vulnerability and has one security fix can now be installed.

Description:

This update for libgit2 fixes the following issues:

Security issue fixed:

• CVE-2018-17456: Submodule URLs and paths with a leading "-" are now ignored to avoid injecting options into library consumers that perform recursive clones (bsc#1110949).

Non-security issues fixed:

• Version update to version 0.26.8 (bsc#1114729).
• Full changelog can be found at:
• https://github.com/libgit2/libgit2/releases/tag/v0.26.8
• https://github.com/libgit2/libgit2/releases/tag/v0.26.7

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Development Tools Module 15
  zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2018-2865=1

Package List:

• Development Tools Module 15 (aarch64 ppc64le s390x x86_64)
  • libgit2-debugsource-0.26.8-3.8.1
  • libgit2-26-debuginfo-0.26.8-3.8.1
  • libgit2-26-0.26.8-3.8.1
  • libgit2-devel-0.26.8-3.8.1

References:

• https://www.suse.com/security/cve/CVE-2018-17456.html
• https://bugzilla.suse.com/show_bug.cgi?id=1110949
• https://bugzilla.suse.com/show_bug.cgi?id=1114729