From b1e1b3fa723c9b7c7f87e846037ed57ab2d6a5e6 Mon Sep 17 00:00:00 2001 From: Patrick Steinhardt Date: Wed, 13 Jul 2022 07:25:00 +0200 Subject: Makefile: Update libgit2 to v1.3.2 Update libgit2 to v1.3.2. This release contains fixes to both CVE-2022-24765 and CVE-2022-29187, both of which relate to opening repositories owned by a user different to the current one that may lead to privilege escalation. While libgit2 itself is not affected by these vulnerabilities, the upgrade brings it in line with what Git is doing. Most notably, libgit2 will now refuse to open repositories which are owned by a different user. This should theoretically not make much of a difference for Gitaly given that it is expected that all repositories are typically owned by the same user as the one we're executing as. Also note that this upgrade does not plug a known vulnerability in Gitaly itself, but is rather done as a precaution and to not be put in a position to argue whether we are or aren't susceptible to these CVEs. --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 5e5aea669..1c778a7f1 100644 --- a/Makefile +++ b/Makefile @@ -109,7 +109,7 @@ PROTOC_GEN_GO_GRPC_VERSION?= v1.2.0 # https://github.com/libgit2/git2go/#which-go-version-to-use for a # compatibility matrix. GIT2GO_VERSION ?= v33 -LIBGIT2_VERSION ?= v1.3.0 +LIBGIT2_VERSION ?= v1.3.2 DELVE_VERSION ?= v1.8.3 # protoc target -- cgit v1.2.3