* [Buildroot] [git commit branch/2022.02.x] package/git: security bump to version 2.31.4
@ 2022-09-29 13:48 Peter Korsgaard
0 siblings, 0 replies; only message in thread
From: Peter Korsgaard @ 2022-09-29 13:48 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=beb98993cbd7b0ba2aa025a15a0ce9f07480d182
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2022.02.x
Fix CVE-2022-29187: Git is a distributed revision control system. Git
prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3,
2.31.4, and 2.30.5, is vulnerable to privilege escalation in all
platforms. An unsuspecting user could still be affected by the issue
reported in CVE-2022-24765, for example when navigating as root into a
shared tmp directory that is owned by them, but where an attacker could
create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4,
2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The
simplest way to avoid being affected by the exploit described in the
example is to avoid running git as root (or an Administrator in
Windows), and if needed to reduce its use to a minimum. While a generic
workaround is not possible, a system could be hardened from the exploit
described in the example by removing any such repository if it exists
already and creating one as root to block any future attacks.
https://github.com/git/git/blob/v2.31.4/Documentation/RelNotes/2.31.4.txt
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 15293e0360cffc8a5e33f57ef1b01a45f17b08d3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/git/git.hash | 2 +-
package/git/git.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/git/git.hash b/package/git/git.hash
index 5868fbffda..41afa83f86 100644
--- a/package/git/git.hash
+++ b/package/git/git.hash
@@ -1,5 +1,5 @@
# From: https://www.kernel.org/pub/software/scm/git/sha256sums.asc
-sha256 d9167d801cf4aa2abca6e8f43d5d1b383e02e4d257ac1dc071802bb773ed0e2a git-2.31.2.tar.xz
+sha256 84fc20acf8fbea5cad7d5d7be0dfeb32494f1dac8e6c61675c904d1fd3d8c016 git-2.31.4.tar.xz
# Locally calculated
sha256 5b2198d1645f767585e8a88ac0499b04472164c0d2da22e75ecf97ef443ab32e COPYING
sha256 1922f45d2c49e390032c9c0ba6d7cac904087f7cec51af30c2b2ad022ce0e76a LGPL-2.1
diff --git a/package/git/git.mk b/package/git/git.mk
index 981a238acb..dc587170e8 100644
--- a/package/git/git.mk
+++ b/package/git/git.mk
@@ -4,7 +4,7 @@
#
################################################################################
-GIT_VERSION = 2.31.2
+GIT_VERSION = 2.31.4
GIT_SOURCE = git-$(GIT_VERSION).tar.xz
GIT_SITE = $(BR2_KERNEL_MIRROR)/software/scm/git
GIT_LICENSE = GPL-2.0, LGPL-2.1+
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2022-09-29 13:53 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-29 13:48 [Buildroot] [git commit branch/2022.02.x] package/git: security bump to version 2.31.4 Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.