Errata overview
Errata ID 376
Date 2018-05-08
Source package git
Fixed in version 1:2.1.4-2.1+deb8u5
This update addresses the following issues:
* A malicious third-party can give a crafted "ssh://..." URL to an
  unsuspecting victim, and an attempt to visit the URL can result in any
  program that exists on the victim's machine being executed. Such a URL
  could be placed in the .gitmodules file of a malicious project, and an
  unsuspecting victim could be tricked into running "git clone
  --recurse-submodules" to trigger the vulnerability. (CVE-2017-1000117)
* Git uses unsafe Perl scripts to support subcommands such as cvsserver,
  which allows attackers to execute arbitrary OS commands via shell
  metacharacters in a module name. The vulnerable code is reachable via
  git-shell even without CVS support. (CVE-2017-14867)
Additional notes
CVE ID CVE-2017-1000117
UCS Bug number #45235