Greetings: If it helps, Qualys isn't flagging this CVE as we use Git in several versions. I checked our main Git box and nary a flag for it. Ed Dyer DevOps Engineer Malum Consilium Quod Mutari Non Potest -----Original Message----- From: Junio C Hamano <gitster@xxxxxxxxx> Sent: Wednesday, June 1, 2022 5:13 PM To: Mark Esler <mark.esler@xxxxxxxxxxxxx> Cc: git@xxxxxxxxxxxxxxx Subject: Re: CVE-2022-24975 [EXTERNAL EMAIL] – Think Security! Mark Esler <mark.esler@xxxxxxxxxxxxx> writes: > Hello, > > Could the git developers state their position on CVE-2022-24975? Is it > disputed or will it be addressed by upstream? > > As I read the documentation, --mirror is working as stated and MITRE > should remove the CVE. > > Thank you, > Mark Esler It took me a while to Google for "gitbleed" as I got tons of GI bleed but no Gitbleed, so a quick conclusion is there is no such credible thing called gitbleed ;-) Jokes aside (yes, I know about [*]). As you said, "A repository can have more than what branch heads and tags can reach, and the --mirror option is a way to copy all the things that are reachable from other refs. It is 100% working as intended." During the discussion about [*] on git-security@ mailing lsit, everybody said that it is dubious that CVE is warranted. I am not sure there is anything more for us to do. [Reference] * https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/ the author of which asked git-security@ list and after getting things explained, accepted that this is a "working as intended" functionality and promised to adjust the blog post entry not to imply that the entire repository can be copied. I do not know how much correction was actually made since then, though. ______________________________________________________________________ The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer. ______________________________________________________________________
