------------------------------------------------------------------------- Debian LTS Advisory DLA-3589-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin September 29, 2023 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : python-git Version : 2.1.11-1+deb10u2 CVE ID : CVE-2023-41040 Santos Gallegos discovered a blind local file inclusion in python-git, a Python library to interact with Git repositories, which could lead to denial of service or potentially information disclosure. In order to resolve some git references, python-git reads files from the ".git" directory but, due to improper location check, an attacker can pass a file located outside this directory thereby making python-git read arbitrary file on the system. It remains unclear whether the attacker can gain access to actual file content, but denial of service can be achieved by passing a large or infinite file such as /dev/random. For Debian 10 buster, this problem has been fixed in version 2.1.11-1+deb10u2. We recommend that you upgrade your python-git packages. For the detailed security status of python-git please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-git Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature