If I have a git client on a remote server and only X users have SSH access, should I be concerned with updating git on that server specifically to patch against CVE-2014-9390? It seems to me that the vulnerability is strictly related to .Git/config
being clobbered on a case insensitive filesystem, which would require a git push
, which would only ever be accepted (in this case) by trusted users that already have SSH access. Is that the case? Am I missing anything?
Related reading:
This only affects people who pull from untrustworthy repositories. If you know your repository, to which only trustworthy people have update access, does not have malicious contents, you would be safe without the patch.
If any of these trusted users' account is compromised and an impersonator is allowed to push malicious contents there, of course you are lost. But since you are assuming that will never happen, so ...
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With