Mark Esler <mark.esler@xxxxxxxxxxxxx> writes: > Hello, > > Could the git developers state their position on CVE-2022-24975? Is it > disputed or will it be addressed by upstream? > > As I read the documentation, --mirror is working as stated and MITRE > should remove the CVE. > > Thank you, > Mark Esler It took me a while to Google for "gitbleed" as I got tons of GI bleed but no Gitbleed, so a quick conclusion is there is no such credible thing called gitbleed ;-) Jokes aside (yes, I know about [*]). As you said, "A repository can have more than what branch heads and tags can reach, and the --mirror option is a way to copy all the things that are reachable from other refs. It is 100% working as intended." During the discussion about [*] on git-security@ mailing lsit, everybody said that it is dubious that CVE is warranted. I am not sure there is anything more for us to do. [Reference] * https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/ the author of which asked git-security@ list and after getting things explained, accepted that this is a "working as intended" functionality and promised to adjust the blog post entry not to imply that the entire repository can be copied. I do not know how much correction was actually made since then, though.
