diff options
author | Patrick Steinhardt <psteinhardt@gitlab.com> | 2022-07-13 08:25:00 +0300 |
---|---|---|
committer | Toon Claes <toon@gitlab.com> | 2022-07-13 17:43:45 +0300 |
commit | b1e1b3fa723c9b7c7f87e846037ed57ab2d6a5e6 (patch) | |
tree | a3796acb81ca8edbde2774eed1df9c21cf808f2b | |
parent | ef92c91a3965be321ed588fb4219e972d3a8828f (diff) |
Makefile: Update libgit2 to v1.3.2pks-libgit2-v1.3.2
Update libgit2 to v1.3.2. This release contains fixes to both
CVE-2022-24765 and CVE-2022-29187, both of which relate to opening
repositories owned by a user different to the current one that may lead
to privilege escalation.
While libgit2 itself is not affected by these vulnerabilities, the
upgrade brings it in line with what Git is doing. Most notably, libgit2
will now refuse to open repositories which are owned by a different
user. This should theoretically not make much of a difference for Gitaly
given that it is expected that all repositories are typically owned by
the same user as the one we're executing as.
Also note that this upgrade does not plug a known vulnerability in
Gitaly itself, but is rather done as a precaution and to not be put in a
position to argue whether we are or aren't susceptible to these CVEs.
-rw-r--r-- | Makefile | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -109,7 +109,7 @@ PROTOC_GEN_GO_GRPC_VERSION?= v1.2.0 # https://github.com/libgit2/git2go/#which-go-version-to-use for a # compatibility matrix. GIT2GO_VERSION ?= v33 -LIBGIT2_VERSION ?= v1.3.0 +LIBGIT2_VERSION ?= v1.3.2 DELVE_VERSION ?= v1.8.3 # protoc target |