Debian alert DLA-3844-1 (git)
| From: | Sean Whitton <spwhitton@spwhitton.name> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 3844-1] git security update | |
| Date: | Wed, 26 Jun 2024 17:31:24 +0800 | |
| Message-ID: | <87jziccaoj.fsf@melete.silentflame.com> |
------------------------------------------------------------------------- Debian LTS Advisory DLA-3844-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Sean Whitton June 26, 2024 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : git Version : 1:2.20.1-2+deb10u9 CVE ID : CVE-2019-1387 CVE-2023-25652 CVE-2023-25815 CVE-2023-29007 CVE-2024-32002 CVE-2024-32004 CVE-2024-32021 CVE-2024-32465 Debian Bug : 1034835 1071160 Multiple vulnerabilities were found in git, a fast, scalable and distributed revision control system. CVE-2019-1387 It was possible to bypass the previous check for this vulnerability using parallel cloning, or the --recurse-submodules option to git-checkout(1). CVE-2023-25652 Feeding specially-crafted input to 'git apply --reject' could overwrite a path outside the working tree with partially controlled contents, corresponding to the rejected hunk or hunks from the given patch. CVE-2023-25815 Low-privileged users could inject malicious messages into Git's output under MINGW. CVE-2023-29007 A specially-crafted .gitmodules file with submodule URLs longer than 1024 characters could be used to inject arbitrary configuration into $GIT_DIR/config. CVE-2024-32002 Repositories with submodules could be specially-crafted to write hooks into .git/ which would then be executed during an ongoing clone operation. CVE-2024-32004 A specially-crafted local repository could cause the execution of arbitrary code when cloned by another user. CVE-2024-32021 When cloning a local repository that contains symlinks via the filesystem, Git could have created hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the objects/ directory. CVE-2024-32465 When cloning a local repository obtained from a downloaded archive, hooks in that repository could be used for arbitrary code execution. For Debian 10 buster, these problems have been fixed in version 1:2.20.1-2+deb10u9. We recommend that you upgrade your git packages. For the detailed security status of git please refer to its security tracker page at: https://security-tracker.debian.org/tracker/git Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQJNBAEBCgA3FiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAmZ73+0ZHHNwd2hpdHRv bkBzcHdoaXR0b24ubmFtZQAKCRBpW3rkvwZiQDC7D/oCt6oWQAWkOlfSiSE6xPxS HimJMsRiMi3t1i9tnQx7r7Kgcr68PC1ooPd4fZRY3i23wAPktYWVyCsCUXskyRW4 8zJK0giptJUbFWJ4NXVsBrGegUDdKk2DsqbiDexflX8Jribz0fenyLBTFdDHDd3W tmLmUurKjwHYV8/JIUV/4XvQmAtGkPQCysBZOjkU6uEU2vIVX8/eKznfwXjMThS9 vxVBQuIWIuW2KOJILutQBDAncDF24TMGaSubN+rBkx9M1mBL6ApWz2zeHPKyW1mh gpqvHPuXfrd7fMXT6CkTbKTdX2GRjkL3IG12gGDJBtyzBK/nKERRKMPgxCUhRoXb oxJIV2vThC81DDgWQIlfs3DLcOe7dGHLSva1s11GveZdJDorFbfFy9AN6ztBqz1d TIm4hRGoPidpJudSBdQHoNfAYuD92btRkvsMcDHk7M+7mnd37VBmQx3h/dBP6FiK aB1qH3il23RDduRtMMdQ1Zlb9cE9uH6WnYzlFNFbD/zLBLHkhOZ1/stazX+5AGE4 ZND2GLEBuKWsKbZc0bzprcSh1zYmnXRmdLc8ZLWlpRuU/QiL271CAQcDNOOcvrLM S+LGyj0Meda8TxISE5wi8tDJkTnXKRZe0Zwli9a6D4PAhW64y4by71vCI9TI+if7 QUXuskrs6TQFG/F9rNJHOQ== =oMsp -----END PGP SIGNATURE-----