Headline
RHSA-2023:3280: Red Hat Security Advisory: rh-git227-git security update
An update for rh-git227-git is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-25652: A vulnerability was found in Git. This security flaw occurs when feeding specially crafted input to
git apply --reject
; a path outside the working tree can be overwritten with partially controlled contents corresponding to the rejected hunk(s) from the given patch. - CVE-2023-25815: A vulnerability was found in Git. This security flaw occurs when Git compiles with runtime prefix support and runs without translated messages, and it still uses the gettext machinery to display messages, which subsequently looks for translated messages in unexpected places. This flaw allows the malicious placement of crafted messages.
- CVE-2023-29007: A vulnerability was found in Git. This security flaw occurs when renaming or deleting a section from a configuration file, where certain malicious configuration values may be misinterpreted as the beginning of a new configuration section. This flaw leads to arbitrary configuration injection.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Publié :
2023-05-23
Mis à jour :
2023-05-23
RHSA-2023:3280 - Security Advisory
- Aperçu général
- Paquets mis à jour
Synopsis
Important: rh-git227-git security update
Type / Sévérité
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Sujet
An update for rh-git227-git is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.
Security Fix(es):
- git: by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (CVE-2023-25652)
- git: arbitrary configuration injection when renaming or deleting a section from a configuration file (CVE-2023-29007)
- git: malicious placement of crafted messages when git was compiled with runtime prefix (CVE-2023-25815)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Produits concernés
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
- Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7 s390x
- Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7 ppc64le
- Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64
Correctifs
- BZ - 2188333 - CVE-2023-25652 git: by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents
- BZ - 2188337 - CVE-2023-25815 git: malicious placement of crafted messages when git was compiled with runtime prefix
- BZ - 2188338 - CVE-2023-29007 git: arbitrary configuration injection when renaming or deleting a section from a configuration file
CVE
- CVE-2023-25652
- CVE-2023-25815
- CVE-2023-29007
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7
SRPM
rh-git227-git-2.27.0-6.el7.src.rpm
SHA-256: d35841710b82c479851ab65d3793e73678ab928aa40acf925e16f18391465d73
x86_64
rh-git227-git-2.27.0-6.el7.x86_64.rpm
SHA-256: 62050e157bc6d11de02f09d42583fef67ba1dfb00b49232355a9e227c927664b
rh-git227-git-all-2.27.0-6.el7.noarch.rpm
SHA-256: 7142fd857ddb62bb77920941c6e2ddbdacab5d21176d978894a56d7412b6694b
rh-git227-git-core-2.27.0-6.el7.x86_64.rpm
SHA-256: 184ee77515c232620d513cbe1320339e6b0ef8df17a2bf3c13af83b4fc4eb9f9
rh-git227-git-core-doc-2.27.0-6.el7.noarch.rpm
SHA-256: b962f7e149351ffc9929c2d754c8385d087514bbd946ed88562a1d88ce50ee73
rh-git227-git-credential-libsecret-2.27.0-6.el7.x86_64.rpm
SHA-256: bfca589082b3e8f2fcfa760f0226917131eeeda8fe862e02ea06b1ed41832d66
rh-git227-git-cvs-2.27.0-6.el7.noarch.rpm
SHA-256: e03b2477b364d9af8dcab8e5ce73df09f161055fe8ffdf5ecdedf57a57bbd2dd
rh-git227-git-daemon-2.27.0-6.el7.x86_64.rpm
SHA-256: f13898df8e1c9bbd8e142fb599e16ec41e7bf8ac04e1406cf1ff45934b5487f5
rh-git227-git-debuginfo-2.27.0-6.el7.x86_64.rpm
SHA-256: d63cd63214e06822a80d87a6a76320164ce3c7e634b1f59b2e92a0e807b640ef
rh-git227-git-email-2.27.0-6.el7.noarch.rpm
SHA-256: 8d499777314e5fc038007e2ea1e64c412dd5410bb7984fa2934c89ff8c401edd
rh-git227-git-gui-2.27.0-6.el7.noarch.rpm
SHA-256: 5f00ee29790f9bc583a69305077706e26fe2ab58e6a6f35c3b82c4153119b9b1
rh-git227-git-instaweb-2.27.0-6.el7.noarch.rpm
SHA-256: 211edcd288588c44311b36d7ed416a2a7a163a107bd8a68ca492102c8fd408c5
rh-git227-git-p4-2.27.0-6.el7.noarch.rpm
SHA-256: a4b779919ef42b30d6ec343188b0113b5f0ef38ed5751d9f3cb0d81def055d56
rh-git227-git-subtree-2.27.0-6.el7.x86_64.rpm
SHA-256: 74e41341b8d25b64976196f27799d4cd0cb06696d49fa0cdd4ec639cf7223bbe
rh-git227-git-svn-2.27.0-6.el7.noarch.rpm
SHA-256: 7471a5fc09cecd809615741c04dd33f1b4cec69e1e0975e4368862baf86b0675
rh-git227-gitk-2.27.0-6.el7.noarch.rpm
SHA-256: a7aeed87972839e272edb9941ef0193fb456707a98ef33e2c1a3bb2c876668fb
rh-git227-gitweb-2.27.0-6.el7.noarch.rpm
SHA-256: 628cf7e6c5d01d5a183e2ebeabf268cbefa90c438990ac614a7688da5693d33a
rh-git227-perl-Git-2.27.0-6.el7.noarch.rpm
SHA-256: 35b2fe1a902567bdb48e8f990a6d8bac786d92e990c66abae57e3c4d83c6659a
rh-git227-perl-Git-SVN-2.27.0-6.el7.noarch.rpm
SHA-256: 1817d23d50ce0364ecee9d9efdb0c6f9d80727486e1ffa1e802f9fed6def3dc5
Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7
SRPM
rh-git227-git-2.27.0-6.el7.src.rpm
SHA-256: d35841710b82c479851ab65d3793e73678ab928aa40acf925e16f18391465d73
s390x
rh-git227-git-2.27.0-6.el7.s390x.rpm
SHA-256: 0926adcac8744c9d4781e3e6dc0334889acb7edcfb8c14a599bb80956de85a28
rh-git227-git-all-2.27.0-6.el7.noarch.rpm
SHA-256: 7142fd857ddb62bb77920941c6e2ddbdacab5d21176d978894a56d7412b6694b
rh-git227-git-core-2.27.0-6.el7.s390x.rpm
SHA-256: 0f6d5f7635a340b5b286b37680c1a6330f5f1e7c58f695721b3651bee2f931e2
rh-git227-git-core-doc-2.27.0-6.el7.noarch.rpm
SHA-256: b962f7e149351ffc9929c2d754c8385d087514bbd946ed88562a1d88ce50ee73
rh-git227-git-credential-libsecret-2.27.0-6.el7.s390x.rpm
SHA-256: 3ad48ff3ea89008a70e5d8883dcf3bbcc31e468f24865b485f2d533ac8ef46f3
rh-git227-git-cvs-2.27.0-6.el7.noarch.rpm
SHA-256: e03b2477b364d9af8dcab8e5ce73df09f161055fe8ffdf5ecdedf57a57bbd2dd
rh-git227-git-daemon-2.27.0-6.el7.s390x.rpm
SHA-256: e9c605e3b2bd40f376879c05e8843a9c313bf75fecfbbfc6f33348a799b89bf2
rh-git227-git-debuginfo-2.27.0-6.el7.s390x.rpm
SHA-256: aa3d85223bfe3aa9a5e1ab779ad038becd4698358ab989707098476310680138
rh-git227-git-email-2.27.0-6.el7.noarch.rpm
SHA-256: 8d499777314e5fc038007e2ea1e64c412dd5410bb7984fa2934c89ff8c401edd
rh-git227-git-gui-2.27.0-6.el7.noarch.rpm
SHA-256: 5f00ee29790f9bc583a69305077706e26fe2ab58e6a6f35c3b82c4153119b9b1
rh-git227-git-instaweb-2.27.0-6.el7.noarch.rpm
SHA-256: 211edcd288588c44311b36d7ed416a2a7a163a107bd8a68ca492102c8fd408c5
rh-git227-git-p4-2.27.0-6.el7.noarch.rpm
SHA-256: a4b779919ef42b30d6ec343188b0113b5f0ef38ed5751d9f3cb0d81def055d56
rh-git227-git-subtree-2.27.0-6.el7.s390x.rpm
SHA-256: 602df64e606cf13f83cd5e34bd87358dd61f47285915716746e8697cd585adf2
rh-git227-git-svn-2.27.0-6.el7.noarch.rpm
SHA-256: 7471a5fc09cecd809615741c04dd33f1b4cec69e1e0975e4368862baf86b0675
rh-git227-gitk-2.27.0-6.el7.noarch.rpm
SHA-256: a7aeed87972839e272edb9941ef0193fb456707a98ef33e2c1a3bb2c876668fb
rh-git227-gitweb-2.27.0-6.el7.noarch.rpm
SHA-256: 628cf7e6c5d01d5a183e2ebeabf268cbefa90c438990ac614a7688da5693d33a
rh-git227-perl-Git-2.27.0-6.el7.noarch.rpm
SHA-256: 35b2fe1a902567bdb48e8f990a6d8bac786d92e990c66abae57e3c4d83c6659a
rh-git227-perl-Git-SVN-2.27.0-6.el7.noarch.rpm
SHA-256: 1817d23d50ce0364ecee9d9efdb0c6f9d80727486e1ffa1e802f9fed6def3dc5
Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7
SRPM
rh-git227-git-2.27.0-6.el7.src.rpm
SHA-256: d35841710b82c479851ab65d3793e73678ab928aa40acf925e16f18391465d73
ppc64le
rh-git227-git-2.27.0-6.el7.ppc64le.rpm
SHA-256: d85071acb33ced80e08bad9d0fbe02be4b616589b6ca733d2186bb2a8dfd5609
rh-git227-git-all-2.27.0-6.el7.noarch.rpm
SHA-256: 7142fd857ddb62bb77920941c6e2ddbdacab5d21176d978894a56d7412b6694b
rh-git227-git-core-2.27.0-6.el7.ppc64le.rpm
SHA-256: 1d3173ac576ce19c1ef5197a0a228e23c5e477b517fe72e146719a15431b9e86
rh-git227-git-core-doc-2.27.0-6.el7.noarch.rpm
SHA-256: b962f7e149351ffc9929c2d754c8385d087514bbd946ed88562a1d88ce50ee73
rh-git227-git-credential-libsecret-2.27.0-6.el7.ppc64le.rpm
SHA-256: 404b78a2fa92075cad9f9e31181b9958cccd0c6a7feb70d1be8f5cf13926d1c9
rh-git227-git-cvs-2.27.0-6.el7.noarch.rpm
SHA-256: e03b2477b364d9af8dcab8e5ce73df09f161055fe8ffdf5ecdedf57a57bbd2dd
rh-git227-git-daemon-2.27.0-6.el7.ppc64le.rpm
SHA-256: f8e511e5e845efd806bf069cc8ed5c8451ce3bc8aeda7c292d98a9675f19c09d
rh-git227-git-debuginfo-2.27.0-6.el7.ppc64le.rpm
SHA-256: 0fb427ad9c20579f5eb2f6b267f41c0bd38ecaa7c7f385d361f53d4cc9153644
rh-git227-git-email-2.27.0-6.el7.noarch.rpm
SHA-256: 8d499777314e5fc038007e2ea1e64c412dd5410bb7984fa2934c89ff8c401edd
rh-git227-git-gui-2.27.0-6.el7.noarch.rpm
SHA-256: 5f00ee29790f9bc583a69305077706e26fe2ab58e6a6f35c3b82c4153119b9b1
rh-git227-git-instaweb-2.27.0-6.el7.noarch.rpm
SHA-256: 211edcd288588c44311b36d7ed416a2a7a163a107bd8a68ca492102c8fd408c5
rh-git227-git-p4-2.27.0-6.el7.noarch.rpm
SHA-256: a4b779919ef42b30d6ec343188b0113b5f0ef38ed5751d9f3cb0d81def055d56
rh-git227-git-subtree-2.27.0-6.el7.ppc64le.rpm
SHA-256: 5c992ca15835a086baa3e34ea29606dff83644ba0097adde951cf230cda2b91d
rh-git227-git-svn-2.27.0-6.el7.noarch.rpm
SHA-256: 7471a5fc09cecd809615741c04dd33f1b4cec69e1e0975e4368862baf86b0675
rh-git227-gitk-2.27.0-6.el7.noarch.rpm
SHA-256: a7aeed87972839e272edb9941ef0193fb456707a98ef33e2c1a3bb2c876668fb
rh-git227-gitweb-2.27.0-6.el7.noarch.rpm
SHA-256: 628cf7e6c5d01d5a183e2ebeabf268cbefa90c438990ac614a7688da5693d33a
rh-git227-perl-Git-2.27.0-6.el7.noarch.rpm
SHA-256: 35b2fe1a902567bdb48e8f990a6d8bac786d92e990c66abae57e3c4d83c6659a
rh-git227-perl-Git-SVN-2.27.0-6.el7.noarch.rpm
SHA-256: 1817d23d50ce0364ecee9d9efdb0c6f9d80727486e1ffa1e802f9fed6def3dc5
Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7
SRPM
rh-git227-git-2.27.0-6.el7.src.rpm
SHA-256: d35841710b82c479851ab65d3793e73678ab928aa40acf925e16f18391465d73
x86_64
rh-git227-git-2.27.0-6.el7.x86_64.rpm
SHA-256: 62050e157bc6d11de02f09d42583fef67ba1dfb00b49232355a9e227c927664b
rh-git227-git-all-2.27.0-6.el7.noarch.rpm
SHA-256: 7142fd857ddb62bb77920941c6e2ddbdacab5d21176d978894a56d7412b6694b
rh-git227-git-core-2.27.0-6.el7.x86_64.rpm
SHA-256: 184ee77515c232620d513cbe1320339e6b0ef8df17a2bf3c13af83b4fc4eb9f9
rh-git227-git-core-doc-2.27.0-6.el7.noarch.rpm
SHA-256: b962f7e149351ffc9929c2d754c8385d087514bbd946ed88562a1d88ce50ee73
rh-git227-git-credential-libsecret-2.27.0-6.el7.x86_64.rpm
SHA-256: bfca589082b3e8f2fcfa760f0226917131eeeda8fe862e02ea06b1ed41832d66
rh-git227-git-cvs-2.27.0-6.el7.noarch.rpm
SHA-256: e03b2477b364d9af8dcab8e5ce73df09f161055fe8ffdf5ecdedf57a57bbd2dd
rh-git227-git-daemon-2.27.0-6.el7.x86_64.rpm
SHA-256: f13898df8e1c9bbd8e142fb599e16ec41e7bf8ac04e1406cf1ff45934b5487f5
rh-git227-git-debuginfo-2.27.0-6.el7.x86_64.rpm
SHA-256: d63cd63214e06822a80d87a6a76320164ce3c7e634b1f59b2e92a0e807b640ef
rh-git227-git-email-2.27.0-6.el7.noarch.rpm
SHA-256: 8d499777314e5fc038007e2ea1e64c412dd5410bb7984fa2934c89ff8c401edd
rh-git227-git-gui-2.27.0-6.el7.noarch.rpm
SHA-256: 5f00ee29790f9bc583a69305077706e26fe2ab58e6a6f35c3b82c4153119b9b1
rh-git227-git-instaweb-2.27.0-6.el7.noarch.rpm
SHA-256: 211edcd288588c44311b36d7ed416a2a7a163a107bd8a68ca492102c8fd408c5
rh-git227-git-p4-2.27.0-6.el7.noarch.rpm
SHA-256: a4b779919ef42b30d6ec343188b0113b5f0ef38ed5751d9f3cb0d81def055d56
rh-git227-git-subtree-2.27.0-6.el7.x86_64.rpm
SHA-256: 74e41341b8d25b64976196f27799d4cd0cb06696d49fa0cdd4ec639cf7223bbe
rh-git227-git-svn-2.27.0-6.el7.noarch.rpm
SHA-256: 7471a5fc09cecd809615741c04dd33f1b4cec69e1e0975e4368862baf86b0675
rh-git227-gitk-2.27.0-6.el7.noarch.rpm
SHA-256: a7aeed87972839e272edb9941ef0193fb456707a98ef33e2c1a3bb2c876668fb
rh-git227-gitweb-2.27.0-6.el7.noarch.rpm
SHA-256: 628cf7e6c5d01d5a183e2ebeabf268cbefa90c438990ac614a7688da5693d33a
rh-git227-perl-Git-2.27.0-6.el7.noarch.rpm
SHA-256: 35b2fe1a902567bdb48e8f990a6d8bac786d92e990c66abae57e3c4d83c6659a
rh-git227-perl-Git-SVN-2.27.0-6.el7.noarch.rpm
SHA-256: 1817d23d50ce0364ecee9d9efdb0c6f9d80727486e1ffa1e802f9fed6def3dc5
Le contact Red Hat Security est [email protected]. Plus d’infos contact à https://access.redhat.com/security/team/contact/.
Related news
Debian Linux Security Advisory 5769-1 - Multiple issues were found in Git, a fast, scalable, distributed revision control system, which may result in file overwrites outside the repository, arbitrary configuration injection or arbitrary code execution.
IBM QRadar SIEM 7.5.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 254138
Release of Bug Advisories for the OpenShift Jenkins image and Jenkins agent base image. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-2880: A flaw was found in the golang package, where reques...
The Migration Toolkit for Containers (MTC) 1.7.10 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24534: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by memory exhaustion in the common function in HTTP and MIME header parsing. By sending a specially crafted request, a remote attacker can cause a denial of service. * CVE-2023-24536: A flaw was found in Golang Go, where it is vulnerable to a denial of service cause...
Logging Subsystem 5.7.2 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2023-27539: A denial of service vulnerability was found in rubygem-rack in how it parses headers. A carefully crafted input can cause header parsing to take an unexpe...
Red Hat OpenShift Container Platform release 4.10.61 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.10. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2018-17419: The Miek Gieben DNS library is vulnerable to a denial of service caused by a segmentation violation in setTA in scan_rr.go. By persuading a victim to open a specially-crafted file, a...
Red Hat Security Advisory 2023-3309-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.42. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-3356-01 - Red Hat Advanced Cluster Management for Kubernetes 2.5.9 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.
An update for git is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25652: A vulnerability was found in Git. This security flaw occurs when feeding specially crafted input to `git apply --reject`; a path outside the working tree can be overwritten with partially controlled contents corresponding to the rejected hunk(s) from the given patch. * CVE-2023-25815: A vulnerability was found in Git. This ...
Red Hat OpenShift Container Platform release 4.13.1 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2018-17419: The Miek Gieben DNS library is vulnerable to a denial of service caused by a segmentation violation in setTA in scan_rr.go. By persuading a victim to open a specially-crafted file, a ...
Red Hat Security Advisory 2023-3297-01 - Red Hat Advanced Cluster Management for Kubernetes 2.7.4 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.
Red Hat Advanced Cluster Management for Kubernetes 2.7.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbo...
Red Hat Security Advisory 2023-3263-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.
An update for git is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25652: A vulnerability was found in Git. This security flaw occurs when feeding specially crafted input to `git apply --reject`; a path outside the working tree can be overwritten with partially controlled contents corresponding to the rejected hunk(s) from the given patch. * CVE-2023-29007: A vulnerability was found in Git. This security flaw occurs when ...
An update for git is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25652: A vulnerability was found in Git. This security flaw occurs when feeding specially crafted input to `git apply --reject`; a path outside the working tree can be overwritten with partially controlled contents corresponding to the rejected hunk(s) from the given patch. * CVE-2023-29007: A vulnerability was found in Git. This security flaw occurs when ...
Red Hat Security Advisory 2023-3245-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.
Red Hat Security Advisory 2023-3245-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.
Red Hat Security Advisory 2023-3245-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.
Red Hat Security Advisory 2023-3247-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.
Red Hat Security Advisory 2023-3247-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.
Red Hat Security Advisory 2023-3247-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.
Red Hat Security Advisory 2023-3243-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.
Red Hat Security Advisory 2023-3243-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.
Red Hat Security Advisory 2023-3243-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.
An update for git is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25652: A vulnerability was found in Git. This security flaw occurs when feeding specially crafted input to `git apply --reject`; a path outside the working tree can be overwritten with partially controlled contents corresponding to the rejected hunk(s) from the given patch. * CVE-2023-25815: A vulnerability was found in Git. This ...
An update for git is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25652: A vulnerability was found in Git. This security flaw occurs when feeding specially crafted input to `git apply --reject`; a path outside the working tree can be overwritten with partially controlled contents corresponding to the rejected hunk(s) from the given patch. * CVE-2023-25815: A vulnerability was found in Git. This ...
An update for git is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25652: A vulnerability was found in Git. This security flaw occurs when feeding specially crafted input to `git apply --reject`; a path outside the working tree can be overwritten with partially controlled contents corresponding to the rejected hunk(s) from the given patch. * CVE-2023-25815: A vulnerability was found in Git. This ...
An update for git is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25652: A vulnerability was found in Git. This security flaw occurs when feeding specially crafted input to `git apply --reject`; a path outside the working tree can be overwritten with partially controlled contents corresponding to the rejected hunk(s) from the given patch. * CVE-2023-25815: A vulnerability was found in Git. This ...
An update for git is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25652: A vulnerability was found in Git. This security flaw occurs when feeding specially crafted input to `git apply --reject`; a path outside the working tree can be overwritten with partially controlled contents corresponding to the rejected hunk(s) from the given patch. * CVE-2023-25815: A vulnerability was found in Git. This ...
An update for git is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25652: A vulnerability was found in Git. This security flaw occurs when feeding specially crafted input to `git apply --reject`; a path outside the working tree can be overwritten with partially controlled contents corresponding to the rejected hunk(s) from the given patch. * CVE-2023-25815: A vulnerability was found in Git. This ...
An update for git is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25652: A vulnerability was found in Git. This security flaw occurs when feeding specially crafted input to `git apply --reject`; a path outside the working tree can be overwritten with partially controlled contents corresponding to the rejected hunk(s) from the given patch. * CVE-2023-25815: A vulnerability was found in Git. This ...
An update for git is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25652: A vulnerability was found in Git. This security flaw occurs when feeding specially crafted input to `git apply --reject`; a path outside the working tree can be overwritten with partially controlled contents corresponding to the rejected hunk(s) from the given patch. * CVE-2023-25815: A vulnerability was found in Git. This ...
Ubuntu Security Notice 6050-2 - USN-6050-1 fixed several vulnerabilities in Git. This update provides the corresponding updates for CVE-2023-25652 and CVE-2023-29007 on Ubuntu 16.04 LTS. It was discovered that Git incorrectly handled certain commands. An attacker could possibly use this issue to overwrite paths.
Ubuntu Security Notice 6050-2 - USN-6050-1 fixed several vulnerabilities in Git. This update provides the corresponding updates for CVE-2023-25652 and CVE-2023-29007 on Ubuntu 16.04 LTS. It was discovered that Git incorrectly handled certain commands. An attacker could possibly use this issue to overwrite paths.
An update for git is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25652: A vulnerability was found in Git. This security flaw occurs when feeding specially crafted input to `git apply --reject`; a path outside the working tree can be overwritten with partially controlled contents corresponding to the rejected hunk(s) from the given patch. * CVE-2023-25815: A vulnerability was found in ...
Ubuntu Security Notice 6050-1 - It was discovered that Git incorrectly handled certain commands. An attacker could possibly use this issue to overwriting some paths. Maxime Escourbiac and Yassine BENGANA discovered that Git incorrectly handled some gettext machinery. An attacker could possibly use this issue to allows the malicious placement of crafted messages. Andre Baptista and Vitor Pinho discovered that Git incorrectly handled certain configurations. An attacker could possibly use this issue to arbitrary configuration injection.
Ubuntu Security Notice 6050-1 - It was discovered that Git incorrectly handled certain commands. An attacker could possibly use this issue to overwriting some paths. Maxime Escourbiac and Yassine BENGANA discovered that Git incorrectly handled some gettext machinery. An attacker could possibly use this issue to allows the malicious placement of crafted messages. Andre Baptista and Vitor Pinho discovered that Git incorrectly handled certain configurations. An attacker could possibly use this issue to arbitrary configuration injection.
Ubuntu Security Notice 6050-1 - It was discovered that Git incorrectly handled certain commands. An attacker could possibly use this issue to overwriting some paths. Maxime Escourbiac and Yassine BENGANA discovered that Git incorrectly handled some gettext machinery. An attacker could possibly use this issue to allows the malicious placement of crafted messages. Andre Baptista and Vitor Pinho discovered that Git incorrectly handled certain configurations. An attacker could possibly use this issue to arbitrary configuration injection.
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`.
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists.
In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. As a consequence, Git is expected not to localize messages at all, and skips the gettext initialization. However, due to a change in MINGW-packages, the `gettext()` function's implicit initialization no longer uses the runtime prefix but uses the hard-coded path `C:\mingw64\share\locale` to look for localized messages. And since any authenticated user has the permission to create folders in `C:\` (and since `C:\mingw64` does not typically exist), it is possible for low-privilege users to place fake messages in that location where `git.exe` will pick them up in version 2.40.1. This vulnerability is relatively hard to exploit and requires social engineering. For example, a legitimate message at the end of a clone could be maliciously modified to ask the user to direct their web browser to a malicious website, and the user might think that the message comes from Git and is legitimate. It do...
In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. As a consequence, Git is expected not to localize messages at all, and skips the gettext initialization. However, due to a change in MINGW-packages, the `gettext()` function's implicit initialization no longer uses the runtime prefix but uses the hard-coded path `C:\mingw64\share\locale` to look for localized messages. And since any authenticated user has the permission to create folders in `C:\` (and since `C:\mingw64` does not typically exist), it is possible for low-privilege users to place fake messages in that location where `git.exe` will pick them up in version 2.40.1. This vulnerability is relatively hard to exploit and requires social engineering. For example, a legitimate message at the end of a clone could be maliciously modified to ask the user to direct their web browser to a malicious website, and the user might think that the message comes from Git and is legitimate. It do...
In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. As a consequence, Git is expected not to localize messages at all, and skips the gettext initialization. However, due to a change in MINGW-packages, the `gettext()` function's implicit initialization no longer uses the runtime prefix but uses the hard-coded path `C:\mingw64\share\locale` to look for localized messages. And since any authenticated user has the permission to create folders in `C:\` (and since `C:\mingw64` does not typically exist), it is possible for low-privilege users to place fake messages in that location where `git.exe` will pick them up in version 2.40.1. This vulnerability is relatively hard to exploit and requires social engineering. For example, a legitimate message at the end of a clone could be maliciously modified to ask the user to direct their web browser to a malicious website, and the user might think that the message comes from Git and is legitimate. It do...