PublicDateAtUSN: 2019-12-10 18:00:00 UTC
Candidate: CVE-2019-19604
CRD: 2019-12-10 18:00:00 UTC
PublicDate: 2019-12-11 00:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19604
 https://groups.google.com/forum/?fromgroups#!topic/git-packagers/AWRBO_5gqa4
 https://ubuntu.com/security/notices/USN-4220-1
Description:
 Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before
 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before
 2.24.1 because a "git submodule update" operation can run commands found in
 the .gitmodules file of a malicious repository.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by: Joern Schneeweisz
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [7.8 HIGH]


Patches_git:
upstream_git: released (1:2.24.0-2)
precise/esm_git: DNE
trusty_git: ignored (out of standard support)
trusty/esm_git: DNE
xenial_git: not-affected (2.7.4-0ubuntu1.6)
esm-infra/xenial_git: not-affected (2.7.4-0ubuntu1.6)
bionic_git: not-affected (2.17.1-1ubuntu0.4)
disco_git: released (1:2.20.1-2ubuntu1.19.04.1)
eoan_git: released (1:2.20.1-2ubuntu1.19.10.1)
devel_git: released (1:2.25.0-1ubuntu1)