Re: Debian LTS & ELTS -- June 2024
Hello,
> LTS
>
> - git
>
> - Released DLA-3844-1 fixing CVE-2023-25652, CVE-2023-25815,
> CVE-2023-29007, CVE-2024-32002, CVE-2024-32004, CVE-2024-32021 and
> CVE-2024-32465, and including a follow-up fix for CVE-2019-1387.
>
> We did not include upstream's fix for CVE-2024-32020 because it was
> decided to be inappropriate in a context of long term support.
> For simple git hosting using 'git init --bare --shared', the fix
> broke pulling and pushing by a different UID, unless the local
> administrator deployed relatively fiddly server-side configuration
> changes.
>
> I was pleased to have identified this issue -- after doing so, I
> found that upstream's fix had already been released elsewhere in the
> free software ecosystem, and that there had been regression reports.
>
> Upstream's fix for CVE-2024-32004 relied on the same change, but
> fortunately the fix for CVE-2024-32465 also fixed CVE-2024-32004.
Is there any plan to include those fixes to stable, too?
I'm running Debian stable server on AWS and using Amazon Inspector,
it warns me that some git CVEs are critical, and it is a bit annoying ;)
--
Hideki Yamane <henrich@iijmio-mail.jp>
Reply to: