* [ANNOUNCE] Git v2.35.2 and below for CVE-2022-24765
@ 2022-04-12 17:01 Junio C Hamano
2022-04-12 18:05 ` SZEDER Gábor
2022-04-14 0:22 ` [ANNOUNCE] Git v2.35.3 and below as a usability fix Junio C Hamano
0 siblings, 2 replies; 3+ messages in thread
From: Junio C Hamano @ 2022-04-12 17:01 UTC (permalink / raw)
To: git; +Cc: Linux Kernel, git-packagers
The latest maintenance release Git v2.35.2, together with releases
for older maintenance tracks v2.30.3, v2.31.2, v2.32.1, v2.33.2, and
v2.34.2, are now available at the usual places.
These maintenance releases are to address the security issues
described in CVE-2022-24765. Please update at your earliest
opportunity.
The tarballs are found at:
https://www.kernel.org/pub/software/scm/git/
The following public repositories all have a copy of the 'v2.35.2',
'v2.34.2', 'v2.33.2', 'v2.32.1', 'v2.31.2', and 'v2.30.3' tags.
url = https://git.kernel.org/pub/scm/git/git
url = https://kernel.googlesource.com/pub/scm/git/git
url = https://github.com/gitster/git
CVE-2022-24765:
On multi-user machines, Git users might find themselves
unexpectedly in a Git worktree, e.g. when another user created a
repository in `C:\.git`, in a mounted network drive or in a
scratch space. Merely having a Git-aware prompt that runs `git
status` (or `git diff`) and navigating to a directory which is
supposedly not a Git worktree, or opening such a directory in an
editor or IDE such as VS Code or Atom, will potentially run
commands defined by that other user.
Credit for finding this vulnerability goes to 俞晨东; the fix was
authored by Johannes Schindelin.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [ANNOUNCE] Git v2.35.2 and below for CVE-2022-24765
2022-04-12 17:01 [ANNOUNCE] Git v2.35.2 and below for CVE-2022-24765 Junio C Hamano
@ 2022-04-12 18:05 ` SZEDER Gábor
2022-04-14 0:22 ` [ANNOUNCE] Git v2.35.3 and below as a usability fix Junio C Hamano
1 sibling, 0 replies; 3+ messages in thread
From: SZEDER Gábor @ 2022-04-12 18:05 UTC (permalink / raw)
To: Junio C Hamano; +Cc: git, Linux Kernel, git-packagers
On Tue, Apr 12, 2022 at 10:01:21AM -0700, Junio C Hamano wrote:
> The latest maintenance release Git v2.35.2, together with releases
> for older maintenance tracks v2.30.3, v2.31.2, v2.32.1, v2.33.2, and
> v2.34.2, are now available at the usual places.
>
> These maintenance releases are to address the security issues
> described in CVE-2022-24765. Please update at your earliest
> opportunity.
>
> The tarballs are found at:
>
> https://www.kernel.org/pub/software/scm/git/
>
> The following public repositories all have a copy of the 'v2.35.2',
> 'v2.34.2', 'v2.33.2', 'v2.32.1', 'v2.31.2', and 'v2.30.3' tags.
>
> url = https://git.kernel.org/pub/scm/git/git
> url = https://kernel.googlesource.com/pub/scm/git/git
> url = https://github.com/gitster/git
>
> CVE-2022-24765:
> On multi-user machines, Git users might find themselves
> unexpectedly in a Git worktree, e.g. when another user created a
> repository in `C:\.git`, in a mounted network drive or in a
> scratch space. Merely having a Git-aware prompt that runs `git
> status` (or `git diff`) and navigating to a directory which is
> supposedly not a Git worktree, or opening such a directory in an
> editor or IDE such as VS Code or Atom, will potentially run
> commands defined by that other user.
>
> Credit for finding this vulnerability goes to 俞晨东; the fix was
> authored by Johannes Schindelin.
This fix causes trouble when attempting to 'sudo make install' any
non-tagged Git revision:
$ git checkout v2.36.0-rc2
HEAD is now at 11cfe55261 Git 2.36-rc2
$ git commit --allow-empty -m foo
[detached HEAD 237ee2a6ef] foo
$ make
GIT_VERSION = 2.36.0.rc2.1.g237ee2a6ef
[...]
$ sudo make install
GIT_VERSION = 2.36.0-rc2
CC version.o
^ permalink raw reply [flat|nested] 3+ messages in thread
* [ANNOUNCE] Git v2.35.3 and below as a usability fix
2022-04-12 17:01 [ANNOUNCE] Git v2.35.2 and below for CVE-2022-24765 Junio C Hamano
2022-04-12 18:05 ` SZEDER Gábor
@ 2022-04-14 0:22 ` Junio C Hamano
1 sibling, 0 replies; 3+ messages in thread
From: Junio C Hamano @ 2022-04-14 0:22 UTC (permalink / raw)
To: git; +Cc: git-packagers
The latest maintenance releases Git v2.35.3, together with releases
for older maintenance tracks v2.30.4, v2.31.3, v2.32.2, v2.33.3,
and v2.34.3, are now available at the usual places.
These maintenance releases are to address usability issues in the
recent releases 'v2.35.2', 'v2.34.2', 'v2.33.2', 'v2.32.1',
'v2.31.2', and 'v2.30.3', where each "safe" directory has to be
listed on the safe.directory configuration variables. A broader
escape hatch has been added so that the value '*' can be used to
declare "my colleagues and their repositories I may ever visit are
all trustworthy".
The same fix appears in the tip of 'master' and all the integration
branches of the project above 'master', too.
The tarballs are found at:
https://www.kernel.org/pub/software/scm/git/
The following public repositories all have a copy of the tags
mentioned above in the first paragraph.
url = https://git.kernel.org/pub/scm/git/git
url = https://kernel.googlesource.com/pub/scm/git/git
url = https://github.com/gitster/git
Credit for the usability fix goes to Derrick Stolee.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-04-14 0:22 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-12 17:01 [ANNOUNCE] Git v2.35.2 and below for CVE-2022-24765 Junio C Hamano
2022-04-12 18:05 ` SZEDER Gábor
2022-04-14 0:22 ` [ANNOUNCE] Git v2.35.3 and below as a usability fix Junio C Hamano
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).