git updates in stable (was: Re: Debian LTS & ELTS -- June 2024)
Hi,
On Tue, Jul 23, 2024 at 09:54:14AM +0900, Hideki Yamane wrote:
> Hello,
>
> > LTS
> >
> > - git
> >
> > - Released DLA-3844-1 fixing CVE-2023-25652, CVE-2023-25815,
> > CVE-2023-29007, CVE-2024-32002, CVE-2024-32004, CVE-2024-32021 and
> > CVE-2024-32465, and including a follow-up fix for CVE-2019-1387.
> >
> > We did not include upstream's fix for CVE-2024-32020 because it was
> > decided to be inappropriate in a context of long term support.
> > For simple git hosting using 'git init --bare --shared', the fix
> > broke pulling and pushing by a different UID, unless the local
> > administrator deployed relatively fiddly server-side configuration
> > changes.
> >
> > I was pleased to have identified this issue -- after doing so, I
> > found that upstream's fix had already been released elsewhere in the
> > free software ecosystem, and that there had been regression reports.
> >
> > Upstream's fix for CVE-2024-32004 relied on the same change, but
> > fortunately the fix for CVE-2024-32465 also fixed CVE-2024-32004.
>
> Is there any plan to include those fixes to stable, too?
>
> I'm running Debian stable server on AWS and using Amazon Inspector,
> it warns me that some git CVEs are critical, and it is a bit annoying ;)
Yes there is, but the prepared update shows regressions which need to
be addressed. Samewise the git version in unstable fixing those issues
did not yet migrate to testing:
https://tracker.debian.org/pkg/git
FWIW, if you have questions about stable you might reach out to the
Debian security team via team@s.d.o, as debian-lts list is about
Debian LTS discussion, we might miss questions on this list.
Hope this helps,
Regards,
Salvatore
Reply to: