Are remote git clients vulnerable to CVE-2014-9390 if only trusted users have access to SSH?

Question

Are remote git clients vulnerable to CVE-2014-9390 if only trusted users have access to SSH?

If I have a git client on a remote server, and only X users have access to SSH, should I be associated with a git update on that server specifically to fix CVE-2014-9390? It seems to me that the vulnerability is strictly related to .Git/config , which .Git/config using a file system that does not require a register, which requires git push , which would ever be accepted (in this case) by trusted users who already have access to Ssh. This is true? Did I miss something?

Related reading:

+7

git

Charlie schliesser Dec 18 '14 at 22:44

source share

1 answer

Gitster · Accepted Answer · 2014-12-18T23:18:35+0000

This only affects people who exit insecure repositories. If you know your repository, which is trusted only by people who have access to the update, do not have malicious content, you can be safe without a patch.

If any of these trusted user accounts are compromised and the impersonal is allowed to enter malicious content from, of course, you are lost. But since you assume that never happens, therefore ...

Are remote git clients vulnerable to CVE-2014-9390 if only trusted users have access to SSH?

More articles: