Security update for libgit2

Announcement ID:	SUSE-SU-2017:0433-1
Rating:	moderate
References:	bsc#1019036 bsc#1019037
Cross-References:	CVE-2016-10128 CVE-2016-10129 CVE-2016-10130 CVE-2017-5338 CVE-2017-5339
CVSS scores:	CVE-2016-10128 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-10129 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2016-10130 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected Products:	SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Software Development Kit 12 12-SP2

An update that solves five vulnerabilities can now be installed.

Description:

This update for libgit2 fixes the several issues.

These security issues were fixed:

• CVE-2016-10130: When using the custom certificate callback or when using pygit2 or git2go a attacker could have caused an invalid certificate to be accepted (bsc#1019037).
• CVE-2017-5338: When using the custom certificate callback or when using pygit2 or git2go a attacker could have caused an invalid certificate to be accepted (bsc#1019037).
• CVE-2017-5339: When using the custom certificate callback or when using pygit2 or git2go a attacker could have caused an invalid certificate to be accepted (bsc#1019037).
• CVE-2016-10128: Additional sanitization prevent some edge cases in the Git Smart Protocol which can lead to reading outside of a buffer (bsc#1019036).
• CVE-2016-10129: Additional sanitization prevent some edge cases in the Git Smart Protocol which can lead to reading outside of a buffer (bsc#1019036).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Software Development Kit 12 12-SP2
  zypper in -t patch SUSE-SLE-SDK-12-SP2-2017-220=1

Package List:

• SUSE Linux Enterprise Software Development Kit 12 12-SP2 (x86_64)
  • libgit2-24-0.24.1-6.1
  • libgit2-24-debuginfo-0.24.1-6.1
  • libgit2-debugsource-0.24.1-6.1

References:

• https://www.suse.com/security/cve/CVE-2016-10128.html
• https://www.suse.com/security/cve/CVE-2016-10129.html
• https://www.suse.com/security/cve/CVE-2016-10130.html
• https://www.suse.com/security/cve/CVE-2017-5338.html
• https://www.suse.com/security/cve/CVE-2017-5339.html
• https://bugzilla.suse.com/show_bug.cgi?id=1019036
• https://bugzilla.suse.com/show_bug.cgi?id=1019037