diff options
| author | Patrick Steinhardt <psteinhardt@gitlab.com> | 2023-02-07 12:29:48 +0300 |
|---|---|---|
| committer | Patrick Steinhardt <psteinhardt@gitlab.com> | 2023-02-07 12:45:16 +0300 |
| commit | 1f127ef85b78b09758cff497374f8299d9f74195 (patch) | |
| tree | 95624fdd384de384e40ca2198a3c101d39faf164 | |
| parent | 44af1b4e59bac969590878d3deb79ad1dacc2b97 (diff) | |
git: Upgrade to Git security release v2.38.4.gl1 and v2.37.6.gl1
Upgrade our Git version to v2.38.4.gl1 and v2.37.6.gl1, which pull in
the security release Git v2.38.4 and v2.37.6.gl1 that address the
following CVEs:
- CVE-2023-22490:
Using a specially-crafted repository, Git can be tricked into using
its local clone optimization even when using a non-local transport.
Though Git will abort local clones whose source $GIT_DIR/objects
directory contains symbolic links (c.f., CVE-2022-39253), the objects
directory itself may still be a symbolic link. These two may be
combined to include arbitrary files based on known paths on the
victim's filesystem within the malicious repository's working copy,
allowing for data exfiltration in a similar manner as CVE-2022-39253.
- CVE-2023-23946:
By feeding a crafted input to "git apply", a path outside the working
tree can be overwritten as the user who is running "git apply".
Changelog: security
| -rw-r--r-- | Makefile | 4 |
1 files changed, 2 insertions, 2 deletions
@@ -134,9 +134,9 @@ GIT_EXECUTABLES += git-http-backend ## tags, branches, and commit ids. GIT_VERSION ?= ## The Git version used for bundled Git v2.37. -GIT_VERSION_2_37_1 ?= v2.37.5.gl1 +GIT_VERSION_2_37_1 ?= v2.37.6.gl1 ## The Git version used for bundled Git v2.38. -GIT_VERSION_2_38 ?= v2.38.3.gl1 +GIT_VERSION_2_38 ?= v2.38.4.gl1 ## Skip overriding the Git version and instead use the Git version as specified ## in the Git sources. This is required when building Git from a version that |