Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:0609: Red Hat Security Advisory: git security update

An update for git is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there is a huge number of path patterns, attributes for a single pattern, or declared attribute names. These overflows can be triggered via a crafted .gitattributes file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index, or both. This integer overflow can result in arbitrary heap reads and writes, which may allow remote code execution.
  • CVE-2022-41903: A flaw was found in Git, a distributed revision control system. This issue occurs due to an integer overflow in pretty.c::format_and_pad_commit(), where asize_tis stored improperly as anint, and then added as an offset to amemcpy(). This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g.,git log --format=…`). It may also be triggered indirectly through the git archive via the export-subst mechanism, which expands format specifiers inside files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may allow arbitrary code execution.
Red Hat Security Data
#vulnerability#web#mac#linux#red_hat#git#rce#perl#sap

概要

Important: git security update

タイプ/重大度

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

トピック

An update for git is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

説明

Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.

Security Fix(es):

  • git: gitattributes parsing integer overflow (CVE-2022-23521)
  • git: Heap overflow in `git archive`, `git log --format` leading to RCE (CVE-2022-41903)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

影響を受ける製品

  • Red Hat Enterprise Linux Server - AUS 8.2 x86_64
  • Red Hat Enterprise Linux Server - TUS 8.2 x86_64
  • Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.2 ppc64le
  • Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.2 x86_64

修正

  • BZ - 2162055 - CVE-2022-23521 git: gitattributes parsing integer overflow
  • BZ - 2162056 - CVE-2022-41903 git: Heap overflow in `git archive`, `git log --format` leading to RCE

参考資料

  • https://access.redhat.com/security/updates/classification/#important

Red Hat Enterprise Linux Server - AUS 8.2

SRPM

git-2.18.4-3.el8_2.src.rpm

SHA-256: 1e44a91039c3775efcc48bfbff9d777200d3b594af38343f3d9a27256b15065b

x86_64

git-2.18.4-3.el8_2.x86_64.rpm

SHA-256: c1de6ab86f6491ecb03d0d6bac2ce23979f2697a5aecc045273ac14a3710259b

git-all-2.18.4-3.el8_2.noarch.rpm

SHA-256: 2f7b667cae79e4ebaec60a7b6f45fa554df603a2ed5c0bfda8030ed622836228

git-core-2.18.4-3.el8_2.x86_64.rpm

SHA-256: afe4dbf85d4c9b6121e20345a8e10d140f7b5e5607c0217d6c89dae6690e82c9

git-core-debuginfo-2.18.4-3.el8_2.x86_64.rpm

SHA-256: 121657287371655f84ab37195de765054d5e8a391d73ce05283ad98a10e6b8c0

git-core-doc-2.18.4-3.el8_2.noarch.rpm

SHA-256: 5ec9ff8f4ff570a4188d6bf5ac18d520174651519212990ce19ffd02ae644645

git-daemon-2.18.4-3.el8_2.x86_64.rpm

SHA-256: 02428b3c36d82eb611764dc078fb0040198eb918f6664e6a15adc14c4f13907e

git-daemon-debuginfo-2.18.4-3.el8_2.x86_64.rpm

SHA-256: 6ea33f57fba614dc1581dade2459b1726b261098c8e7a3cabbe793567ee642d5

git-debuginfo-2.18.4-3.el8_2.x86_64.rpm

SHA-256: bb403256ea03efa30cbd2627706e95574c80ec1c0b132a729148885b376e31f8

git-debugsource-2.18.4-3.el8_2.x86_64.rpm

SHA-256: cbd38afc69c298fff22a84bd51d73db4d32a0ae2a1e1e13727891508e6c8491e

git-email-2.18.4-3.el8_2.noarch.rpm

SHA-256: 725f9dd78deb873fdb4db718abccf4c4b54f0fd25596aca53c0394a9f99acda6

git-gui-2.18.4-3.el8_2.noarch.rpm

SHA-256: 532761abf0dc486c8d72870523590568940211b4f4ff10444cfc5f2a456fa87c

git-instaweb-2.18.4-3.el8_2.x86_64.rpm

SHA-256: 829a290f3cf272dbce94ecec4f7b3f847e18e724344b6a8997261e60d11f5835

git-subtree-2.18.4-3.el8_2.x86_64.rpm

SHA-256: 30be54ca22a9205cb96658ae146abe131a613dff6a2f7c47b045a1d62d0e2666

git-svn-2.18.4-3.el8_2.x86_64.rpm

SHA-256: 24ce18f609c27fe5040e392f545f9885e3c5ee182ed107bfc145fd4c4cb33dc7

git-svn-debuginfo-2.18.4-3.el8_2.x86_64.rpm

SHA-256: cbfabe763ed5853e70881d83c6aab22707434de23da27ac652d9e9e6fc80d865

gitk-2.18.4-3.el8_2.noarch.rpm

SHA-256: ae458d7e462126a41ea8f79cb74538404a0b5d59fe08a26a2c11ecd46ce2b951

gitweb-2.18.4-3.el8_2.noarch.rpm

SHA-256: ba38d654e3e456cb54b8c4e61d61dfe7f1b9af40121490e5d532b718eb41b35f

perl-Git-2.18.4-3.el8_2.noarch.rpm

SHA-256: d3c2bd64ad2c6d8a4dde3432ba4dd51874e46b8ca1d5b30994c530652eca8935

perl-Git-SVN-2.18.4-3.el8_2.noarch.rpm

SHA-256: 7065efcc1dce0f5a56676346d04ce1c8c1043e93dcb362a04eda633ce26bd872

Red Hat Enterprise Linux Server - TUS 8.2

SRPM

git-2.18.4-3.el8_2.src.rpm

SHA-256: 1e44a91039c3775efcc48bfbff9d777200d3b594af38343f3d9a27256b15065b

x86_64

git-2.18.4-3.el8_2.x86_64.rpm

SHA-256: c1de6ab86f6491ecb03d0d6bac2ce23979f2697a5aecc045273ac14a3710259b

git-all-2.18.4-3.el8_2.noarch.rpm

SHA-256: 2f7b667cae79e4ebaec60a7b6f45fa554df603a2ed5c0bfda8030ed622836228

git-core-2.18.4-3.el8_2.x86_64.rpm

SHA-256: afe4dbf85d4c9b6121e20345a8e10d140f7b5e5607c0217d6c89dae6690e82c9

git-core-debuginfo-2.18.4-3.el8_2.x86_64.rpm

SHA-256: 121657287371655f84ab37195de765054d5e8a391d73ce05283ad98a10e6b8c0

git-core-doc-2.18.4-3.el8_2.noarch.rpm

SHA-256: 5ec9ff8f4ff570a4188d6bf5ac18d520174651519212990ce19ffd02ae644645

git-daemon-2.18.4-3.el8_2.x86_64.rpm

SHA-256: 02428b3c36d82eb611764dc078fb0040198eb918f6664e6a15adc14c4f13907e

git-daemon-debuginfo-2.18.4-3.el8_2.x86_64.rpm

SHA-256: 6ea33f57fba614dc1581dade2459b1726b261098c8e7a3cabbe793567ee642d5

git-debuginfo-2.18.4-3.el8_2.x86_64.rpm

SHA-256: bb403256ea03efa30cbd2627706e95574c80ec1c0b132a729148885b376e31f8

git-debugsource-2.18.4-3.el8_2.x86_64.rpm

SHA-256: cbd38afc69c298fff22a84bd51d73db4d32a0ae2a1e1e13727891508e6c8491e

git-email-2.18.4-3.el8_2.noarch.rpm

SHA-256: 725f9dd78deb873fdb4db718abccf4c4b54f0fd25596aca53c0394a9f99acda6

git-gui-2.18.4-3.el8_2.noarch.rpm

SHA-256: 532761abf0dc486c8d72870523590568940211b4f4ff10444cfc5f2a456fa87c

git-instaweb-2.18.4-3.el8_2.x86_64.rpm

SHA-256: 829a290f3cf272dbce94ecec4f7b3f847e18e724344b6a8997261e60d11f5835

git-subtree-2.18.4-3.el8_2.x86_64.rpm

SHA-256: 30be54ca22a9205cb96658ae146abe131a613dff6a2f7c47b045a1d62d0e2666

git-svn-2.18.4-3.el8_2.x86_64.rpm

SHA-256: 24ce18f609c27fe5040e392f545f9885e3c5ee182ed107bfc145fd4c4cb33dc7

git-svn-debuginfo-2.18.4-3.el8_2.x86_64.rpm

SHA-256: cbfabe763ed5853e70881d83c6aab22707434de23da27ac652d9e9e6fc80d865

gitk-2.18.4-3.el8_2.noarch.rpm

SHA-256: ae458d7e462126a41ea8f79cb74538404a0b5d59fe08a26a2c11ecd46ce2b951

gitweb-2.18.4-3.el8_2.noarch.rpm

SHA-256: ba38d654e3e456cb54b8c4e61d61dfe7f1b9af40121490e5d532b718eb41b35f

perl-Git-2.18.4-3.el8_2.noarch.rpm

SHA-256: d3c2bd64ad2c6d8a4dde3432ba4dd51874e46b8ca1d5b30994c530652eca8935

perl-Git-SVN-2.18.4-3.el8_2.noarch.rpm

SHA-256: 7065efcc1dce0f5a56676346d04ce1c8c1043e93dcb362a04eda633ce26bd872

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.2

SRPM

git-2.18.4-3.el8_2.src.rpm

SHA-256: 1e44a91039c3775efcc48bfbff9d777200d3b594af38343f3d9a27256b15065b

ppc64le

git-2.18.4-3.el8_2.ppc64le.rpm

SHA-256: 5cd112f66427eb9f980b5939e9f34ac4df3c2c06d9325f6f706f79a98535aead

git-all-2.18.4-3.el8_2.noarch.rpm

SHA-256: 2f7b667cae79e4ebaec60a7b6f45fa554df603a2ed5c0bfda8030ed622836228

git-core-2.18.4-3.el8_2.ppc64le.rpm

SHA-256: c1041fb88d0e4b71ca56e3f53cdfcdd44077877c5fc0a0e7ab3f0e8155a27159

git-core-debuginfo-2.18.4-3.el8_2.ppc64le.rpm

SHA-256: e18509ae5e7debc83b0a85866c3e3681934b104291ec1543dea5c316f3dac5e9

git-core-doc-2.18.4-3.el8_2.noarch.rpm

SHA-256: 5ec9ff8f4ff570a4188d6bf5ac18d520174651519212990ce19ffd02ae644645

git-daemon-2.18.4-3.el8_2.ppc64le.rpm

SHA-256: d4900cd4c9f7aa2ea1de15b8cd251d5b28e801c2486e109702354fb774a8155c

git-daemon-debuginfo-2.18.4-3.el8_2.ppc64le.rpm

SHA-256: e28ced9897058664052f2f17adada92853f9dcad84c5032dc1aeaa6ec543b7b1

git-debuginfo-2.18.4-3.el8_2.ppc64le.rpm

SHA-256: dc7af65947f4a337e2de05ff721a74ce1c5d2486249f339ae42c45970a0406b0

git-debugsource-2.18.4-3.el8_2.ppc64le.rpm

SHA-256: ccf1342bbf95ad32c6af7b5ef864038526cff8109d913aeadea14ee6db72b9c1

git-email-2.18.4-3.el8_2.noarch.rpm

SHA-256: 725f9dd78deb873fdb4db718abccf4c4b54f0fd25596aca53c0394a9f99acda6

git-gui-2.18.4-3.el8_2.noarch.rpm

SHA-256: 532761abf0dc486c8d72870523590568940211b4f4ff10444cfc5f2a456fa87c

git-instaweb-2.18.4-3.el8_2.ppc64le.rpm

SHA-256: 7470ba8009cc09d7133b5c0d312a7cd0b8bbc40ea164f53c5bdbd0dae30ae1a0

git-subtree-2.18.4-3.el8_2.ppc64le.rpm

SHA-256: 241e197d9d93d9c4fe7bf294ee7e809c28e31abb761915dc4c8d35e9b17bf141

git-svn-2.18.4-3.el8_2.ppc64le.rpm

SHA-256: 030cde5e7ea5ce64272af540ea56011e6f9dd9d2f055209c668f9431788f6ea9

git-svn-debuginfo-2.18.4-3.el8_2.ppc64le.rpm

SHA-256: a09be6851454e28c137dff4b6b783cef5883b0dd97b9a26de56b51f8b6d68cec

gitk-2.18.4-3.el8_2.noarch.rpm

SHA-256: ae458d7e462126a41ea8f79cb74538404a0b5d59fe08a26a2c11ecd46ce2b951

gitweb-2.18.4-3.el8_2.noarch.rpm

SHA-256: ba38d654e3e456cb54b8c4e61d61dfe7f1b9af40121490e5d532b718eb41b35f

perl-Git-2.18.4-3.el8_2.noarch.rpm

SHA-256: d3c2bd64ad2c6d8a4dde3432ba4dd51874e46b8ca1d5b30994c530652eca8935

perl-Git-SVN-2.18.4-3.el8_2.noarch.rpm

SHA-256: 7065efcc1dce0f5a56676346d04ce1c8c1043e93dcb362a04eda633ce26bd872

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.2

SRPM

git-2.18.4-3.el8_2.src.rpm

SHA-256: 1e44a91039c3775efcc48bfbff9d777200d3b594af38343f3d9a27256b15065b

x86_64

git-2.18.4-3.el8_2.x86_64.rpm

SHA-256: c1de6ab86f6491ecb03d0d6bac2ce23979f2697a5aecc045273ac14a3710259b

git-all-2.18.4-3.el8_2.noarch.rpm

SHA-256: 2f7b667cae79e4ebaec60a7b6f45fa554df603a2ed5c0bfda8030ed622836228

git-core-2.18.4-3.el8_2.x86_64.rpm

SHA-256: afe4dbf85d4c9b6121e20345a8e10d140f7b5e5607c0217d6c89dae6690e82c9

git-core-debuginfo-2.18.4-3.el8_2.x86_64.rpm

SHA-256: 121657287371655f84ab37195de765054d5e8a391d73ce05283ad98a10e6b8c0

git-core-doc-2.18.4-3.el8_2.noarch.rpm

SHA-256: 5ec9ff8f4ff570a4188d6bf5ac18d520174651519212990ce19ffd02ae644645

git-daemon-2.18.4-3.el8_2.x86_64.rpm

SHA-256: 02428b3c36d82eb611764dc078fb0040198eb918f6664e6a15adc14c4f13907e

git-daemon-debuginfo-2.18.4-3.el8_2.x86_64.rpm

SHA-256: 6ea33f57fba614dc1581dade2459b1726b261098c8e7a3cabbe793567ee642d5

git-debuginfo-2.18.4-3.el8_2.x86_64.rpm

SHA-256: bb403256ea03efa30cbd2627706e95574c80ec1c0b132a729148885b376e31f8

git-debugsource-2.18.4-3.el8_2.x86_64.rpm

SHA-256: cbd38afc69c298fff22a84bd51d73db4d32a0ae2a1e1e13727891508e6c8491e

git-email-2.18.4-3.el8_2.noarch.rpm

SHA-256: 725f9dd78deb873fdb4db718abccf4c4b54f0fd25596aca53c0394a9f99acda6

git-gui-2.18.4-3.el8_2.noarch.rpm

SHA-256: 532761abf0dc486c8d72870523590568940211b4f4ff10444cfc5f2a456fa87c

git-instaweb-2.18.4-3.el8_2.x86_64.rpm

SHA-256: 829a290f3cf272dbce94ecec4f7b3f847e18e724344b6a8997261e60d11f5835

git-subtree-2.18.4-3.el8_2.x86_64.rpm

SHA-256: 30be54ca22a9205cb96658ae146abe131a613dff6a2f7c47b045a1d62d0e2666

git-svn-2.18.4-3.el8_2.x86_64.rpm

SHA-256: 24ce18f609c27fe5040e392f545f9885e3c5ee182ed107bfc145fd4c4cb33dc7

git-svn-debuginfo-2.18.4-3.el8_2.x86_64.rpm

SHA-256: cbfabe763ed5853e70881d83c6aab22707434de23da27ac652d9e9e6fc80d865

gitk-2.18.4-3.el8_2.noarch.rpm

SHA-256: ae458d7e462126a41ea8f79cb74538404a0b5d59fe08a26a2c11ecd46ce2b951

gitweb-2.18.4-3.el8_2.noarch.rpm

SHA-256: ba38d654e3e456cb54b8c4e61d61dfe7f1b9af40121490e5d532b718eb41b35f

perl-Git-2.18.4-3.el8_2.noarch.rpm

SHA-256: d3c2bd64ad2c6d8a4dde3432ba4dd51874e46b8ca1d5b30994c530652eca8935

perl-Git-SVN-2.18.4-3.el8_2.noarch.rpm

SHA-256: 7065efcc1dce0f5a56676346d04ce1c8c1043e93dcb362a04eda633ce26bd872

Related news

Gentoo Linux Security Advisory 202312-15

Gentoo Linux Security Advisory 202312-15 - Several vulnerabilities have been found in Git, the worst of which could lead to remote code execution. Versions greater than or equal to 2.39.3 are affected.

CVE-2023-0923

A flaw was found in the Kubernetes service for notebooks in RHODS, where it does not prevent pods from other namespaces and applications from making requests to the Jupyter API. This flaw can lead to file content exposure and other issues.

Red Hat Security Advisory 2023-1158-01

Red Hat Security Advisory 2023-1158-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.31. Issues addressed include a denial of service vulnerability.

Ubuntu Security Notice USN-5810-4

Ubuntu Security Notice 5810-4 - USN-5810-1 fixed several vulnerabilities in Git. This update provides the corresponding update for Ubuntu 14.04 ESM. Markus Vervier and Eric Sesterhenn discovered that Git incorrectly handled certain gitattributes. An attacker could possibly use this issue to cause a crash or execute arbitrary code.

Red Hat Security Advisory 2023-0977-01

Red Hat Security Advisory 2023-0977-01 - Red Hat OpenShift Data Science 1.22.1 security update. Issues addressed include an improper authorization vulnerability.

RHSA-2023:0978: Red Hat Security Advisory: git security update

An update for git is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there is a huge number of path patterns, attributes for a single pattern, or declared attribute names. These overflows can be triggered via a crafted `.gitattributes...

RHSA-2023:0977: Red Hat Security Advisory: Red Hat OpenShift Data Science 1.22.1 security update

An update for kubeflow, dashboard, deployer is now available for Red Hat OpenShift Data Science 1.22. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0923: A flaw was found in the Kubernetes service for notebooks in RHODS, where it does not prevent pods from other namespaces and applications from making requests to the Jupyter API. This flaw can lead to file content exposure and other issues.

Red Hat Security Advisory 2023-0774-01

Red Hat Security Advisory 2023-0774-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.28. Issues addressed include denial of service and out of bounds read vulnerabilities.

Red Hat Security Advisory 2023-0769-01

Red Hat Security Advisory 2023-0769-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

RHSA-2023:0804: Red Hat Security Advisory: Red Hat OpenShift GitOps security update

An update is now available for Red Hat OpenShift GitOps 1.5. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: A flaw was found in goutils where randomly generated alphanumeric strings contain significantly less entropy than expected. Both the `RandomAlphaNumeric` and `CryptoRandomAlphaNumeric` functions always return strings containing at least one digit from 0 to 9. This issue significantly reduces the amount of entropy generated in short strings by these functio...

Red Hat Security Advisory 2023-0794-01

Red Hat Security Advisory 2023-0794-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.4 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.

Red Hat Security Advisory 2023-0633-01

Red Hat Security Advisory 2023-0633-01 - Logging Subsystem 5.5.7 - Red Hat OpenShift.

Red Hat Security Advisory 2023-0632-01

Red Hat Security Advisory 2023-0632-01 - Logging Subsystem 5.4.11 - Red Hat OpenShift.

RHSA-2023:0698: Red Hat Security Advisory: OpenShift Container Platform 4.10.52 security update

Red Hat OpenShift Container Platform release 4.10.52 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3064: A flaw was found in go-yaml. This issue causes the consumption of excessive amounts of CPU or memory when attempting to parse a large or maliciously crafted YAML document.

Red Hat Security Advisory 2023-0627-01

Red Hat Security Advisory 2023-0627-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Issues addressed include heap overflow and integer overflow vulnerabilities.

Red Hat Security Advisory 2023-0628-01

Red Hat Security Advisory 2023-0628-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Issues addressed include heap overflow and integer overflow vulnerabilities.

Red Hat Security Advisory 2023-0599-01

Red Hat Security Advisory 2023-0599-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Issues addressed include heap overflow and integer overflow vulnerabilities.

Red Hat Security Advisory 2023-0596-01

Red Hat Security Advisory 2023-0596-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Issues addressed include heap overflow and integer overflow vulnerabilities.

Red Hat Security Advisory 2023-0609-01

Red Hat Security Advisory 2023-0609-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Issues addressed include heap overflow and integer overflow vulnerabilities.

Red Hat Security Advisory 2023-0610-01

Red Hat Security Advisory 2023-0610-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Issues addressed include heap overflow and integer overflow vulnerabilities.

RHSA-2023:0628: Red Hat Security Advisory: git security update

An update for git is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there is a huge number of path patterns, attributes for a single pattern, or declared attribute names. These overflows can be triggered via...

RHSA-2023:0610: Red Hat Security Advisory: git security update

An update for git is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there is a huge number of path patterns, attributes for a single pattern, or declared attribute names. These overflows can be triggered via a crafted `.gitattributes...

RHSA-2023:0610: Red Hat Security Advisory: git security update

An update for git is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there is a huge number of path patterns, attributes for a single pattern, or declared attribute names. These overflows can be triggered via a crafted `.gitattributes...

RHSA-2023:0611: Red Hat Security Advisory: git security update

An update for git is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there is a huge number of path patterns, attributes for a single pattern, or declared attribute names. These overflows can be triggered via a crafted `.gitattributes...

RHSA-2023:0611: Red Hat Security Advisory: git security update

An update for git is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there is a huge number of path patterns, attributes for a single pattern, or declared attribute names. These overflows can be triggered via a crafted `.gitattributes...

RHSA-2023:0596: Red Hat Security Advisory: git security update

An update for git is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there is a huge number of path patterns, attributes for a single pattern, or declared attribute names. These overflows can be triggered via...

RHSA-2023:0599: Red Hat Security Advisory: git security update

An update for git is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there is a huge number of path patterns, attributes for a single pattern, or declared attribute names. These overflows can be tri...

RHSA-2023:0597: Red Hat Security Advisory: rh-git227-git security update

An update for rh-git227-git is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there is a huge number of path patterns, attributes for a single pattern, or declared attribute names. These overflows can be triggered via a crafted `.g...

Debian Security Advisory 5332-1

Debian Linux Security Advisory 5332-1 - Multiple issues were found in Git, a distributed revision control system. An attacker may trigger remote code execution, cause local users into executing arbitrary commands, leak information from the local filesystem, and bypass restricted shell.

Debian Security Advisory 5332-1

Debian Linux Security Advisory 5332-1 - Multiple issues were found in Git, a distributed revision control system. An attacker may trigger remote code execution, cause local users into executing arbitrary commands, leak information from the local filesystem, and bypass restricted shell.

Ubuntu Security Notice USN-5810-2

Ubuntu Security Notice 5810-2 - USN-5810-1 fixed vulnerabilities in Git. This update introduced a regression as it was missing some commit lines. This update fixes the problem. Markus Vervier and Eric Sesterhenn discovered that Git incorrectly handled certain gitattributes. An attacker could possibly use this issue to cause a crash or execute arbitrary code.

Ubuntu Security Notice USN-5810-2

Ubuntu Security Notice 5810-2 - USN-5810-1 fixed vulnerabilities in Git. This update introduced a regression as it was missing some commit lines. This update fixes the problem. Markus Vervier and Eric Sesterhenn discovered that Git incorrectly handled certain gitattributes. An attacker could possibly use this issue to cause a crash or execute arbitrary code.

Update now! Two critical flaws in Git's code found, patched

CVE-2022-23521 and CVE-2022-41903 are critical flaws present in Git's code. Thankfully, they’ve been addressed in its latest version. (Read more...) The post Update now! Two critical flaws in Git's code found, patched appeared first on Malwarebytes Labs.

Update now! Two critical flaws in Git's code found, patched

CVE-2022-23521 and CVE-2022-41903 are critical flaws present in Git's code. Thankfully, they’ve been addressed in its latest version. (Read more...) The post Update now! Two critical flaws in Git's code found, patched appeared first on Malwarebytes Labs.

Ubuntu Security Notice USN-5810-1

Ubuntu Security Notice 5810-1 - Markus Vervier and Eric Sesterhenn discovered that Git incorrectly handled certain gitattributes. An attacker could possibly use this issue to cause a crash or execute arbitrary code. Joern Schneeweisz discovered that Git incorrectly handled certain commands. An attacker could possibly use this issue to cause a crash or execute arbitrary code.

Ubuntu Security Notice USN-5810-1

Ubuntu Security Notice 5810-1 - Markus Vervier and Eric Sesterhenn discovered that Git incorrectly handled certain gitattributes. An attacker could possibly use this issue to cause a crash or execute arbitrary code. Joern Schneeweisz discovered that Git incorrectly handled certain commands. An attacker could possibly use this issue to cause a crash or execute arbitrary code.

Git Users Urged to Update Software to Prevent Remote Code Execution Attacks

The maintainers of the Git source code version control system have released updates to remediate two critical vulnerabilities that could be exploited by a malicious actor to achieve remote code execution. The flaws, tracked as CVE-2022-23521 and CVE-2022-41903, impacts the following versions of Git: v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, v2.37.4, v2.38.2, and v2.39.0.

Git Users Urged to Update Software to Prevent Remote Code Execution Attacks

The maintainers of the Git source code version control system have released updates to remediate two critical vulnerabilities that could be exploited by a malicious actor to achieve remote code execution. The flaws, tracked as CVE-2022-23521 and CVE-2022-41903, impacts the following versions of Git: v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, v2.37.4, v2.38.2, and v2.39.0.

CVE-2022-41903: Heap overflow in `git archive`, `git log --format` leading to RCE

Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log --format=...`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to u...

CVE-2022-23521: gitattributes parsing integer overflow

Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a `.gitattributes` file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted `.gitattributes` file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both. This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. The problem has been patched i...