* [Announce] Git 2.39.2 and friends @ 2023-02-14 18:05 Junio C Hamano 2023-02-14 18:42 ` rsbecker 0 siblings, 1 reply; 2+ messages in thread From: Junio C Hamano @ 2023-02-14 18:05 UTC (permalink / raw) To: git; +Cc: Linux Kernel, git-packagers, oss-security, git-security A maintenance release Git v2.39.2, together with releases for older maintenance tracks v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8, are now available at the usual places. These maintenance releases are to address two security issues identified as CVE-2023-22490 and CVE-2023-23946. They both affect ranges of existing versions and users are strongly encouraged to upgrade. The tarballs are found at: https://www.kernel.org/pub/software/scm/git/ The following public repositories all have a copy of the 'v2.39.2' tag, as well as the tags for older maintenance tracks listed above. url = https://git.kernel.org/pub/scm/git/git url = https://kernel.googlesource.com/pub/scm/git/git url = git://repo.or.cz/alt-git.git url = https://github.com/gitster/git The addressed issues are: * CVE-2023-22490: Using a specially-crafted repository, Git can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source $GIT_DIR/objects directory contains symbolic links (c.f., CVE-2022-39253), the objects directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253. * CVE-2023-23946: By feeding a crafted input to "git apply", a path outside the working tree can be overwritten as the user who is running "git apply". Credit for finding CVE-2023-22490 goes to yvvdwf, and the fix was developed by Taylor Blau, with additional help from others on the Git security mailing list. Credit for finding CVE-2023-23946 goes to Joern Schneeweisz, and the fix was developed by Patrick Steinhardt. Johannes Schindelin helped greatly in packaging the whole thing and proofreading the result. Thanks. ^ permalink raw reply [flat|nested] 2+ messages in thread
* RE: [Announce] Git 2.39.2 and friends 2023-02-14 18:05 [Announce] Git 2.39.2 and friends Junio C Hamano @ 2023-02-14 18:42 ` rsbecker 0 siblings, 0 replies; 2+ messages in thread From: rsbecker @ 2023-02-14 18:42 UTC (permalink / raw) To: 'Junio C Hamano', git Cc: 'Linux Kernel', git-packagers, oss-security, git-security On February 14, 2023 1:05 PM, Junio C Hamano wrote: >A maintenance release Git v2.39.2, together with releases for older maintenance >tracks v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and >v2.30.8, are now available at the usual places. > >These maintenance releases are to address two security issues identified as CVE- >2023-22490 and CVE-2023-23946. They both affect ranges of existing versions and >users are strongly encouraged to upgrade. > >The tarballs are found at: > > https://www.kernel.org/pub/software/scm/git/ > >The following public repositories all have a copy of the 'v2.39.2' >tag, as well as the tags for older maintenance tracks listed above. > > url = https://git.kernel.org/pub/scm/git/git > url = https://kernel.googlesource.com/pub/scm/git/git > url = git://repo.or.cz/alt-git.git > url = https://github.com/gitster/git > >The addressed issues are: > > * CVE-2023-22490: > > Using a specially-crafted repository, Git can be tricked into using > its local clone optimization even when using a non-local transport. > Though Git will abort local clones whose source $GIT_DIR/objects > directory contains symbolic links (c.f., CVE-2022-39253), the objects > directory itself may still be a symbolic link. > > These two may be combined to include arbitrary files based on known > paths on the victim's filesystem within the malicious repository's > working copy, allowing for data exfiltration in a similar manner as > CVE-2022-39253. > > * CVE-2023-23946: > > By feeding a crafted input to "git apply", a path outside the > working tree can be overwritten as the user who is running "git > apply". > >Credit for finding CVE-2023-22490 goes to yvvdwf, and the fix was developed by >Taylor Blau, with additional help from others on the Git security mailing list. > >Credit for finding CVE-2023-23946 goes to Joern Schneeweisz, and the fix was >developed by Patrick Steinhardt. > >Johannes Schindelin helped greatly in packaging the whole thing and proofreading >the result. NonStop build/test/package cycle has started for 2.39.2. If anyone needs one of the friends built for this platform, please let me know. --Randall ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-02-14 18:53 UTC | newest] Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2023-02-14 18:05 [Announce] Git 2.39.2 and friends Junio C Hamano 2023-02-14 18:42 ` rsbecker
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).