An update for git is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1
Security Advisory
openeuler-security@openeuler.org
openEuler security committee
openEuler-SA-2023-1120
Final
1.0
1.0
2023-02-24
Initial
2023-02-24
2023-02-24
openEuler SA Tool V1.0
2023-02-24
git security update
An update for git is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1.
Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency.Git is easy to learn and has a tiny footprint with lightning fast performance. It outclasses SCM tools like Subversion, CVS, Perforce,and ClearCase with features like cheap local branching, convenient staging areas, and multiple workflows.
Security Fix(es):
Git is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8 can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source `$GIT_DIR/objects` directory contains symbolic links, the `objects` directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253. A fix has been prepared and will appear in v2.39.2 v2.38.4 v2.37.6 v2.36.5 v2.35.7 v2.34.7 v2.33.7 v2.32.6, v2.31.7 and v2.30.8. If upgrading is impractical, two short-term workarounds are available. Avoid cloning repositories from untrusted sources with `--recurse-submodules`. Instead, consider cloning repositories without recursively cloning their submodules, and instead run `git submodule update` at each layer. Before doing so, inspect each new `.gitmodules` file to ensure that it does not contain suspicious module URLs.(CVE-2023-22490)
Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to `git apply`, a path outside the working tree can be overwritten as the user who is running `git apply`. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use `git apply --stat` to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.(CVE-2023-23946)
An update for git is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1.
openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
Medium
git
https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1120
https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-22490
https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-23946
https://nvd.nist.gov/vuln/detail/CVE-2023-22490
https://nvd.nist.gov/vuln/detail/CVE-2023-23946
openEuler-20.03-LTS-SP1
openEuler-20.03-LTS-SP3
openEuler-22.03-LTS
openEuler-22.03-LTS-SP1
git-debugsource-2.27.0-12.oe1.aarch64.rpm
git-debuginfo-2.27.0-12.oe1.aarch64.rpm
git-daemon-2.27.0-12.oe1.aarch64.rpm
git-2.27.0-12.oe1.aarch64.rpm
git-2.27.0-15.oe1.aarch64.rpm
git-debugsource-2.27.0-15.oe1.aarch64.rpm
git-debuginfo-2.27.0-15.oe1.aarch64.rpm
git-daemon-2.27.0-15.oe1.aarch64.rpm
git-2.33.0-8.oe2203.aarch64.rpm
git-daemon-2.33.0-8.oe2203.aarch64.rpm
git-debuginfo-2.33.0-8.oe2203.aarch64.rpm
git-debugsource-2.33.0-8.oe2203.aarch64.rpm
git-debuginfo-2.33.0-9.oe2203sp1.aarch64.rpm
git-daemon-2.33.0-9.oe2203sp1.aarch64.rpm
git-core-2.33.0-9.oe2203sp1.aarch64.rpm
git-debugsource-2.33.0-9.oe2203sp1.aarch64.rpm
git-2.33.0-9.oe2203sp1.aarch64.rpm
perl-Git-2.27.0-12.oe1.noarch.rpm
git-web-2.27.0-12.oe1.noarch.rpm
gitk-2.27.0-12.oe1.noarch.rpm
git-email-2.27.0-12.oe1.noarch.rpm
git-gui-2.27.0-12.oe1.noarch.rpm
git-help-2.27.0-12.oe1.noarch.rpm
git-svn-2.27.0-12.oe1.noarch.rpm
perl-Git-SVN-2.27.0-12.oe1.noarch.rpm
git-svn-2.27.0-15.oe1.noarch.rpm
gitk-2.27.0-15.oe1.noarch.rpm
git-help-2.27.0-15.oe1.noarch.rpm
git-gui-2.27.0-15.oe1.noarch.rpm
git-email-2.27.0-15.oe1.noarch.rpm
git-web-2.27.0-15.oe1.noarch.rpm
perl-Git-SVN-2.27.0-15.oe1.noarch.rpm
perl-Git-2.27.0-15.oe1.noarch.rpm
perl-Git-2.33.0-8.oe2203.noarch.rpm
git-gui-2.33.0-8.oe2203.noarch.rpm
git-svn-2.33.0-8.oe2203.noarch.rpm
perl-Git-SVN-2.33.0-8.oe2203.noarch.rpm
gitk-2.33.0-8.oe2203.noarch.rpm
git-help-2.33.0-8.oe2203.noarch.rpm
git-web-2.33.0-8.oe2203.noarch.rpm
git-email-2.33.0-8.oe2203.noarch.rpm
git-help-2.33.0-9.oe2203sp1.noarch.rpm
gitk-2.33.0-9.oe2203sp1.noarch.rpm
git-gui-2.33.0-9.oe2203sp1.noarch.rpm
perl-Git-2.33.0-9.oe2203sp1.noarch.rpm
git-email-2.33.0-9.oe2203sp1.noarch.rpm
git-svn-2.33.0-9.oe2203sp1.noarch.rpm
git-web-2.33.0-9.oe2203sp1.noarch.rpm
perl-Git-SVN-2.33.0-9.oe2203sp1.noarch.rpm
git-2.27.0-12.oe1.src.rpm
git-2.27.0-15.oe1.src.rpm
git-2.33.0-8.oe2203.src.rpm
git-2.33.0-9.oe2203sp1.src.rpm
git-debuginfo-2.27.0-12.oe1.x86_64.rpm
git-daemon-2.27.0-12.oe1.x86_64.rpm
git-debugsource-2.27.0-12.oe1.x86_64.rpm
git-2.27.0-12.oe1.x86_64.rpm
git-daemon-2.27.0-15.oe1.x86_64.rpm
git-debuginfo-2.27.0-15.oe1.x86_64.rpm
git-debugsource-2.27.0-15.oe1.x86_64.rpm
git-2.27.0-15.oe1.x86_64.rpm
git-debuginfo-2.33.0-8.oe2203.x86_64.rpm
git-debugsource-2.33.0-8.oe2203.x86_64.rpm
git-daemon-2.33.0-8.oe2203.x86_64.rpm
git-2.33.0-8.oe2203.x86_64.rpm
git-daemon-2.33.0-9.oe2203sp1.x86_64.rpm
git-2.33.0-9.oe2203sp1.x86_64.rpm
git-core-2.33.0-9.oe2203sp1.x86_64.rpm
git-debuginfo-2.33.0-9.oe2203sp1.x86_64.rpm
git-debugsource-2.33.0-9.oe2203sp1.x86_64.rpm
Git is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8 can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source `$GIT_DIR/objects` directory contains symbolic links, the `objects` directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253. A fix has been prepared and will appear in v2.39.2 v2.38.4 v2.37.6 v2.36.5 v2.35.7 v2.34.7 v2.33.7 v2.32.6, v2.31.7 and v2.30.8. If upgrading is impractical, two short-term workarounds are available. Avoid cloning repositories from untrusted sources with `--recurse-submodules`. Instead, consider cloning repositories without recursively cloning their submodules, and instead run `git submodule update` at each layer. Before doing so, inspect each new `.gitmodules` file to ensure that it does not contain suspicious module URLs.
2023-02-24
CVE-2023-22490
openEuler-20.03-LTS-SP1
openEuler-20.03-LTS-SP3
openEuler-22.03-LTS
openEuler-22.03-LTS-SP1
Medium
5.5
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
git security update
2023-02-24
https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1120
Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to `git apply`, a path outside the working tree can be overwritten as the user who is running `git apply`. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use `git apply --stat` to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.
2023-02-24
CVE-2023-23946
openEuler-20.03-LTS-SP1
openEuler-20.03-LTS-SP3
openEuler-22.03-LTS
openEuler-22.03-LTS-SP1
Medium
6.2
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
git security update
2023-02-24
https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1120