The developers behind Git and various companies providing Git repository hosting services have pushed out a fix to patch a dangerous vulnerability in the Git source code versioning software.
The fix is included with
Git 2.17.1, which patches two security bugs, CVE-2018-11233 and CVE-2018-11235.
Git flaw leads to arbitrary code execution on users' PCs
Of these, CVE-2018-11235 is considered the most dangerous, as it allows a malicious actor to create a malformed Git repository containing a specially-built Git submodule.
Whenever a user clones this repository, because of the way Git clients handle this malicious Git submodule may allow an attacker to execute code on users' systems.
Git 2.17.1, released last night, should prevent the execution of these commands on users' computers.
Server-side fixes provided for Git hosting services
But patches aren't only rolled out to Git clients. A fix is also included for Git's server-side component. This server-side fix allows Git hosting services to recognize code repositories containing malicious submodules, and block users from uploading them in the first place.
Git hosting services like GitHub and Microsoft (via its Visual Studio Team Services) have already deployed the patches to prevent attackers from abusing their services.