[ANNOUNCE] Git v2.35.2 and below for CVE-2022-24765

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The latest maintenance release Git v2.35.2, together with releases
for older maintenance tracks v2.30.3, v2.31.2, v2.32.1, v2.33.2, and
v2.34.2, are now available at the usual places.

These maintenance releases are to address the security issues
described in CVE-2022-24765.  Please update at your earliest
opportunity.

The tarballs are found at:

    https://www.kernel.org/pub/software/scm/git/

The following public repositories all have a copy of the 'v2.35.2',
'v2.34.2', 'v2.33.2', 'v2.32.1', 'v2.31.2', and 'v2.30.3' tags.

  url = https://git.kernel.org/pub/scm/git/git
  url = https://kernel.googlesource.com/pub/scm/git/git
  url = https://github.com/gitster/git

CVE-2022-24765:
   On multi-user machines, Git users might find themselves
   unexpectedly in a Git worktree, e.g. when another user created a
   repository in `C:\.git`, in a mounted network drive or in a
   scratch space. Merely having a Git-aware prompt that runs `git
   status` (or `git diff`) and navigating to a directory which is
   supposedly not a Git worktree, or opening such a directory in an
   editor or IDE such as VS Code or Atom, will potentially run
   commands defined by that other user.

Credit for finding this vulnerability goes to 俞晨东; the fix was
authored by Johannes Schindelin.




[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux