Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:0610: Red Hat Security Advisory: git security update

An update for git is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there is a huge number of path patterns, attributes for a single pattern, or declared attribute names. These overflows can be triggered via a crafted .gitattributes file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index, or both. This integer overflow can result in arbitrary heap reads and writes, which may allow remote code execution.
  • CVE-2022-41903: A flaw was found in Git, a distributed revision control system. This issue occurs due to an integer overflow in pretty.c::format_and_pad_commit(), where asize_tis stored improperly as anint, and then added as an offset to amemcpy(). This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g.,git log --format=…`). It may also be triggered indirectly through the git archive via the export-subst mechanism, which expands format specifiers inside files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may allow arbitrary code execution.
Red Hat Security Data
#vulnerability#web#mac#linux#red_hat#git#rce#perl#ibm

Synopsis

Important: git security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for git is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.

Security Fix(es):

  • git: gitattributes parsing integer overflow (CVE-2022-23521)
  • git: Heap overflow in `git archive`, `git log --format` leading to RCE (CVE-2022-41903)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected Products

  • Red Hat Enterprise Linux for x86_64 8 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 8 s390x
  • Red Hat Enterprise Linux for Power, little endian 8 ppc64le
  • Red Hat Enterprise Linux for ARM 64 8 aarch64

Fixes

  • BZ - 2162055 - CVE-2022-23521 git: gitattributes parsing integer overflow
  • BZ - 2162056 - CVE-2022-41903 git: Heap overflow in `git archive`, `git log --format` leading to RCE

Red Hat Enterprise Linux for x86_64 8

SRPM

git-2.31.1-3.el8_7.src.rpm

SHA-256: e31f8525a5e73ac9267038da2130a7a527c33f9d240f0c40dd803817c1b29eff

x86_64

git-2.31.1-3.el8_7.x86_64.rpm

SHA-256: 9e4f36711c8aadfd59148bb045b282c86a9cf1498157a91636c5c5987e560419

git-all-2.31.1-3.el8_7.noarch.rpm

SHA-256: b44905add5e7ae0e43d792a3c05ee0adf2d40e3a57abec2f0ba0ffb3e56cee0c

git-core-2.31.1-3.el8_7.x86_64.rpm

SHA-256: 298fd1f8f5b15e5838b1a13b4fe24e04d7c07a543268a3c2bf418f8e062523ae

git-core-debuginfo-2.31.1-3.el8_7.x86_64.rpm

SHA-256: 22e442399afc320510e47f7ed29dd1f2bf5a19b4015036b4c34cbbbedc1ce8ce

git-core-doc-2.31.1-3.el8_7.noarch.rpm

SHA-256: d63442a8e95986bd260b386707cc5ea9db834b95b5e6d8cab4dcc331fe80de34

git-credential-libsecret-2.31.1-3.el8_7.x86_64.rpm

SHA-256: 86cb7664d2e1cea4a6c5d3f202be4b9d6422b4a237b298e88c5bb3f4e3a618b0

git-credential-libsecret-debuginfo-2.31.1-3.el8_7.x86_64.rpm

SHA-256: 192cf3dd3f59c058f4c34cc934576ddf7efd38f46e3edfe1fdcf29a89b0df328

git-daemon-2.31.1-3.el8_7.x86_64.rpm

SHA-256: fd88ff06c9ae3a38ee93bb35665799a8ac6f56bf75751b3455a69e15f486a86e

git-daemon-debuginfo-2.31.1-3.el8_7.x86_64.rpm

SHA-256: 22e61e3efaa3082fa9b87dbdec95426352471d62d4c3a80c8a38f4a9f1848972

git-debuginfo-2.31.1-3.el8_7.x86_64.rpm

SHA-256: e8744f5a5f80697581d0109b50d0d2a1c6f6dd2b7d398ebb070bea8e0fe1ce5c

git-debugsource-2.31.1-3.el8_7.x86_64.rpm

SHA-256: 6c505a7662f7796cbebb589f7a4b80901cd5fe7001c272aff302deb3b1ba90ba

git-email-2.31.1-3.el8_7.noarch.rpm

SHA-256: 3f8436e9d4fde20c35a170f6079a450f6d2d21f723fb1e84cdcdb03002defcc5

git-gui-2.31.1-3.el8_7.noarch.rpm

SHA-256: afb0d274c81be6cc487e169132840c016a089225cffbc647d5f315d21ca224a3

git-instaweb-2.31.1-3.el8_7.noarch.rpm

SHA-256: 8ab8d441cabeea0e6efc4a738750d1cd0f36094ea571e6ee7743b4508a9d1de7

git-subtree-2.31.1-3.el8_7.x86_64.rpm

SHA-256: a020f471954d48443061a32165b74b6a0c94739c2781ab2d332fb81c8c1f0569

git-svn-2.31.1-3.el8_7.noarch.rpm

SHA-256: 5250b8adcf2685ffb3adf4872c4b6834824dd8d345bd3321a0b75d2ad3f92762

gitk-2.31.1-3.el8_7.noarch.rpm

SHA-256: 7848aa797841b313ac7e18e18c65fa11a6eb4d879c1a8472fb19e069be2c30eb

gitweb-2.31.1-3.el8_7.noarch.rpm

SHA-256: 9416c1b49c2e1f5754945620846855dab553b82454ec29b2a3121035da2028b1

perl-Git-2.31.1-3.el8_7.noarch.rpm

SHA-256: 779754ac5f785315d20359bdb0660c7112659ebe4d3422c23206e6c347ac7bcd

perl-Git-SVN-2.31.1-3.el8_7.noarch.rpm

SHA-256: 426fc7644a262f0248959b4066b7937f5b68495287192423df002fd21ff51274

Red Hat Enterprise Linux for IBM z Systems 8

SRPM

git-2.31.1-3.el8_7.src.rpm

SHA-256: e31f8525a5e73ac9267038da2130a7a527c33f9d240f0c40dd803817c1b29eff

s390x

git-2.31.1-3.el8_7.s390x.rpm

SHA-256: 0038486feac171602d604394c70eb6b949901136ca67b7c8acc9827998eb4087

git-all-2.31.1-3.el8_7.noarch.rpm

SHA-256: b44905add5e7ae0e43d792a3c05ee0adf2d40e3a57abec2f0ba0ffb3e56cee0c

git-core-2.31.1-3.el8_7.s390x.rpm

SHA-256: babe6e93e43143b14ce7b2c96e26bec46602e57e03454809284c35595e9e69f5

git-core-debuginfo-2.31.1-3.el8_7.s390x.rpm

SHA-256: 92db5d2e68e8255debb3184ddb8d34bcf37121baee269a0e6ab446c1afbed167

git-core-doc-2.31.1-3.el8_7.noarch.rpm

SHA-256: d63442a8e95986bd260b386707cc5ea9db834b95b5e6d8cab4dcc331fe80de34

git-credential-libsecret-2.31.1-3.el8_7.s390x.rpm

SHA-256: c6a9d4dee6748abe2d19aeaaa93b7e07f50dea441e23effa6f4c878eb70c2b9c

git-credential-libsecret-debuginfo-2.31.1-3.el8_7.s390x.rpm

SHA-256: 7f2a083d8692647a32c8dc45bcbdbc23d5e5115b046d451c082ab043a766a7cd

git-daemon-2.31.1-3.el8_7.s390x.rpm

SHA-256: e10842d8173bdbe71b802fe476040365d4406b805d5a64ae62ef366fc5c8b12c

git-daemon-debuginfo-2.31.1-3.el8_7.s390x.rpm

SHA-256: a07c2503669465f25ec4ce897af230a3d22a95ca42d51e6e4572ef340dd786a3

git-debuginfo-2.31.1-3.el8_7.s390x.rpm

SHA-256: 7e75ea4ff01dda2ae5fffa6a15f15dfd4dde8bffc59d13c392b009073f9e72d0

git-debugsource-2.31.1-3.el8_7.s390x.rpm

SHA-256: 9e3e764a3fe4a6881033712653e2c2ac2ee173e4acd03131a850fd1deac9cf2e

git-email-2.31.1-3.el8_7.noarch.rpm

SHA-256: 3f8436e9d4fde20c35a170f6079a450f6d2d21f723fb1e84cdcdb03002defcc5

git-gui-2.31.1-3.el8_7.noarch.rpm

SHA-256: afb0d274c81be6cc487e169132840c016a089225cffbc647d5f315d21ca224a3

git-instaweb-2.31.1-3.el8_7.noarch.rpm

SHA-256: 8ab8d441cabeea0e6efc4a738750d1cd0f36094ea571e6ee7743b4508a9d1de7

git-subtree-2.31.1-3.el8_7.s390x.rpm

SHA-256: 976b572900f6b35c256b7aac4dcd28333ce7bbbdf1b8746763842c7c2a78f4f0

git-svn-2.31.1-3.el8_7.noarch.rpm

SHA-256: 5250b8adcf2685ffb3adf4872c4b6834824dd8d345bd3321a0b75d2ad3f92762

gitk-2.31.1-3.el8_7.noarch.rpm

SHA-256: 7848aa797841b313ac7e18e18c65fa11a6eb4d879c1a8472fb19e069be2c30eb

gitweb-2.31.1-3.el8_7.noarch.rpm

SHA-256: 9416c1b49c2e1f5754945620846855dab553b82454ec29b2a3121035da2028b1

perl-Git-2.31.1-3.el8_7.noarch.rpm

SHA-256: 779754ac5f785315d20359bdb0660c7112659ebe4d3422c23206e6c347ac7bcd

perl-Git-SVN-2.31.1-3.el8_7.noarch.rpm

SHA-256: 426fc7644a262f0248959b4066b7937f5b68495287192423df002fd21ff51274

Red Hat Enterprise Linux for Power, little endian 8

SRPM

git-2.31.1-3.el8_7.src.rpm

SHA-256: e31f8525a5e73ac9267038da2130a7a527c33f9d240f0c40dd803817c1b29eff

ppc64le

git-2.31.1-3.el8_7.ppc64le.rpm

SHA-256: 99ce73de956f4902bba382814df355a382ae756a5b9184a5d42e0a33a8c3fcde

git-all-2.31.1-3.el8_7.noarch.rpm

SHA-256: b44905add5e7ae0e43d792a3c05ee0adf2d40e3a57abec2f0ba0ffb3e56cee0c

git-core-2.31.1-3.el8_7.ppc64le.rpm

SHA-256: 986e43b3e347c8b30afa86a30869bdae9c3fce4eae58dbd5ecb33916bd4e930b

git-core-debuginfo-2.31.1-3.el8_7.ppc64le.rpm

SHA-256: 0575be10670cce84d29acc92304b0302c6b884092e1ab69a73a0aec066b291fa

git-core-doc-2.31.1-3.el8_7.noarch.rpm

SHA-256: d63442a8e95986bd260b386707cc5ea9db834b95b5e6d8cab4dcc331fe80de34

git-credential-libsecret-2.31.1-3.el8_7.ppc64le.rpm

SHA-256: aaacebb29e5bf3f0eeec3423ccb560b91d7fb49b80f41f0c60adc50ba98d6f5e

git-credential-libsecret-debuginfo-2.31.1-3.el8_7.ppc64le.rpm

SHA-256: 5167fa61b7a983eff36c13cfd61708789c5ef7850580e011fdc714a330471eda

git-daemon-2.31.1-3.el8_7.ppc64le.rpm

SHA-256: f99350d6264782b307c2b73f48791742baaf5630a48893a9d9ef26d26ebfe905

git-daemon-debuginfo-2.31.1-3.el8_7.ppc64le.rpm

SHA-256: b761f36110db6efe0122418914a7da168dd5befd0b739126466432d4263ea330

git-debuginfo-2.31.1-3.el8_7.ppc64le.rpm

SHA-256: fae8c753994bdb8f92ed91f5397eed61735ae0dbfc39f02a538447d4f7b6930d

git-debugsource-2.31.1-3.el8_7.ppc64le.rpm

SHA-256: c3bfe313ea317fdbe63fcddd501609bca6ae441890e66c4c7c6ef82491512719

git-email-2.31.1-3.el8_7.noarch.rpm

SHA-256: 3f8436e9d4fde20c35a170f6079a450f6d2d21f723fb1e84cdcdb03002defcc5

git-gui-2.31.1-3.el8_7.noarch.rpm

SHA-256: afb0d274c81be6cc487e169132840c016a089225cffbc647d5f315d21ca224a3

git-instaweb-2.31.1-3.el8_7.noarch.rpm

SHA-256: 8ab8d441cabeea0e6efc4a738750d1cd0f36094ea571e6ee7743b4508a9d1de7

git-subtree-2.31.1-3.el8_7.ppc64le.rpm

SHA-256: c701d69443438df3cdf02277c123c75ec8b8a417911e187096fbd39f52abdb72

git-svn-2.31.1-3.el8_7.noarch.rpm

SHA-256: 5250b8adcf2685ffb3adf4872c4b6834824dd8d345bd3321a0b75d2ad3f92762

gitk-2.31.1-3.el8_7.noarch.rpm

SHA-256: 7848aa797841b313ac7e18e18c65fa11a6eb4d879c1a8472fb19e069be2c30eb

gitweb-2.31.1-3.el8_7.noarch.rpm

SHA-256: 9416c1b49c2e1f5754945620846855dab553b82454ec29b2a3121035da2028b1

perl-Git-2.31.1-3.el8_7.noarch.rpm

SHA-256: 779754ac5f785315d20359bdb0660c7112659ebe4d3422c23206e6c347ac7bcd

perl-Git-SVN-2.31.1-3.el8_7.noarch.rpm

SHA-256: 426fc7644a262f0248959b4066b7937f5b68495287192423df002fd21ff51274

Red Hat Enterprise Linux for ARM 64 8

SRPM

git-2.31.1-3.el8_7.src.rpm

SHA-256: e31f8525a5e73ac9267038da2130a7a527c33f9d240f0c40dd803817c1b29eff

aarch64

git-2.31.1-3.el8_7.aarch64.rpm

SHA-256: 9c426cd2ba272879570c5f509b32d22789831e2797ea456d23dc94bb3df46dd1

git-all-2.31.1-3.el8_7.noarch.rpm

SHA-256: b44905add5e7ae0e43d792a3c05ee0adf2d40e3a57abec2f0ba0ffb3e56cee0c

git-core-2.31.1-3.el8_7.aarch64.rpm

SHA-256: f36522c737129ab89b8ad6aab919f17d6a018a892bff4671e09359399be928c2

git-core-debuginfo-2.31.1-3.el8_7.aarch64.rpm

SHA-256: f6884c6ba07ca8d63c8b2d6ed188a64b2692577351f123d80057e41ce6a16c01

git-core-doc-2.31.1-3.el8_7.noarch.rpm

SHA-256: d63442a8e95986bd260b386707cc5ea9db834b95b5e6d8cab4dcc331fe80de34

git-credential-libsecret-2.31.1-3.el8_7.aarch64.rpm

SHA-256: 0de059caf37f10915b5bc614f25b5372f503300bc28588843156aec6d38e8bed

git-credential-libsecret-debuginfo-2.31.1-3.el8_7.aarch64.rpm

SHA-256: 42c6554f634c17720737fe7f2841482ce5e353d9f440dd45ab70e5338d94551f

git-daemon-2.31.1-3.el8_7.aarch64.rpm

SHA-256: 5058d98c49538c0ee0c09390fcfdb32f64f9f9c0cc6278f1bb053ec3c00ec3bb

git-daemon-debuginfo-2.31.1-3.el8_7.aarch64.rpm

SHA-256: 5079d66fe2d086e2289969a178b67696fc15e269481c91d4d3be9d589a9798fe

git-debuginfo-2.31.1-3.el8_7.aarch64.rpm

SHA-256: d395cd5ab9eb5f9a3a57ee188d1a74ce5a7a46f4bb3f5714f942f3d169b1b6c5

git-debugsource-2.31.1-3.el8_7.aarch64.rpm

SHA-256: 81c5b31bc8ebca8ce4ba28d9d7151d26ae9588808075e9add9ac80c36c9c736e

git-email-2.31.1-3.el8_7.noarch.rpm

SHA-256: 3f8436e9d4fde20c35a170f6079a450f6d2d21f723fb1e84cdcdb03002defcc5

git-gui-2.31.1-3.el8_7.noarch.rpm

SHA-256: afb0d274c81be6cc487e169132840c016a089225cffbc647d5f315d21ca224a3

git-instaweb-2.31.1-3.el8_7.noarch.rpm

SHA-256: 8ab8d441cabeea0e6efc4a738750d1cd0f36094ea571e6ee7743b4508a9d1de7

git-subtree-2.31.1-3.el8_7.aarch64.rpm

SHA-256: fb97c34e4c78c62785503c2f746bd761af91f640338f5b6ecbd1da670375dd0d

git-svn-2.31.1-3.el8_7.noarch.rpm

SHA-256: 5250b8adcf2685ffb3adf4872c4b6834824dd8d345bd3321a0b75d2ad3f92762

gitk-2.31.1-3.el8_7.noarch.rpm

SHA-256: 7848aa797841b313ac7e18e18c65fa11a6eb4d879c1a8472fb19e069be2c30eb

gitweb-2.31.1-3.el8_7.noarch.rpm

SHA-256: 9416c1b49c2e1f5754945620846855dab553b82454ec29b2a3121035da2028b1

perl-Git-2.31.1-3.el8_7.noarch.rpm

SHA-256: 779754ac5f785315d20359bdb0660c7112659ebe4d3422c23206e6c347ac7bcd

perl-Git-SVN-2.31.1-3.el8_7.noarch.rpm

SHA-256: 426fc7644a262f0248959b4066b7937f5b68495287192423df002fd21ff51274

Related news

Atlassian Releases Patches for Critical Flaws in Confluence and Bamboo

Atlassian has released updates to address three security flaws impacting its Confluence Server, Data Center, and Bamboo Data Center products that, if successfully exploited, could result in remote code execution on susceptible systems. The list of the flaws is below - CVE-2023-22505 (CVSS score: 8.0) - RCE (Remote Code Execution) in Confluence Data Center and Server (Fixed in versions 8.3.2 and

Red Hat Security Advisory 2023-1677-01

Red Hat Security Advisory 2023-1677-01 - The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. The ovirt-node-ng packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. Issues addressed include heap overflow and integer overflow vulnerabilities.

Red Hat Security Advisory 2023-1158-01

Red Hat Security Advisory 2023-1158-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.31. Issues addressed include a denial of service vulnerability.

Ubuntu Security Notice USN-5810-4

Ubuntu Security Notice 5810-4 - USN-5810-1 fixed several vulnerabilities in Git. This update provides the corresponding update for Ubuntu 14.04 ESM. Markus Vervier and Eric Sesterhenn discovered that Git incorrectly handled certain gitattributes. An attacker could possibly use this issue to cause a crash or execute arbitrary code.

Red Hat Security Advisory 2023-0978-01

Red Hat Security Advisory 2023-0978-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Issues addressed include heap overflow and integer overflow vulnerabilities.

RHSA-2023:0934: Red Hat Security Advisory: Migration Toolkit for Applications security and bug fix update

Migration Toolkit for Applications 6.0.1 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36567: A flaw was found in gin. This issue occurs when the default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path. * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to...

RHSA-2023:0774: Red Hat Security Advisory: OpenShift Container Platform 4.11.28 security update

Red Hat OpenShift Container Platform release 4.11.28 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: A flaw was found in goutils where randomly generated alphanumeric strings contain significantly less entropy than expected. Both the `RandomAlphaNumeric` and `CryptoRandomAlphaNumeric` functions always return strings containing at least one digit from 0 to 9. This issu...

RHSA-2023:0769: Red Hat Security Advisory: OpenShift Container Platform 4.12.4 security update

Red Hat OpenShift Container Platform release 4.12.4 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total numb...

Red Hat Security Advisory 2023-0802-01

Red Hat Security Advisory 2023-0802-01 - An update is now available for Red Hat OpenShift GitOps 1.6. Red Hat Product Security has rated this update as having a security impact of Important.

Red Hat Security Advisory 2023-0794-01

Red Hat Security Advisory 2023-0794-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.4 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.

Red Hat Security Advisory 2023-0633-01

Red Hat Security Advisory 2023-0633-01 - Logging Subsystem 5.5.7 - Red Hat OpenShift.

RHSA-2023:0794: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.6.4 bug fixes and security updates

Red Hat Advanced Cluster Management for Kubernetes 2.6.4 General Availability release images, which fix bugs and update container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24999: qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload i...

RHSA-2023:0632: Red Hat Security Advisory: Red Hat OpenShift (Logging Subsystem) security update

An update is now available for the Logging subsystem for Red Hat OpenShift 5.4. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-30123: A flaw was found in ruby gem-rack. This flaw allows a malicious actor to craft requests that can cause shell escape sequences to be written to the terminal via rack's `Lint` middleware and `CommonLogger` middleware. This issue can leverage these escape sequences to execute commands in the victim's terminal. * CVE-2022-41717: A flaw was f...

Red Hat Security Advisory 2023-0627-01

Red Hat Security Advisory 2023-0627-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Issues addressed include heap overflow and integer overflow vulnerabilities.

Red Hat Security Advisory 2023-0628-01

Red Hat Security Advisory 2023-0628-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Issues addressed include heap overflow and integer overflow vulnerabilities.

Red Hat Security Advisory 2023-0599-01

Red Hat Security Advisory 2023-0599-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Issues addressed include heap overflow and integer overflow vulnerabilities.

Red Hat Security Advisory 2023-0609-01

Red Hat Security Advisory 2023-0609-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Issues addressed include heap overflow and integer overflow vulnerabilities.

Red Hat Security Advisory 2023-0610-01

Red Hat Security Advisory 2023-0610-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Issues addressed include heap overflow and integer overflow vulnerabilities.

RHSA-2023:0628: Red Hat Security Advisory: git security update

An update for git is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there is a huge number of path patterns, attributes for a single pattern, or declared attribute names. These overflows can be triggered via...

RHSA-2023:0627: Red Hat Security Advisory: git security update

An update for git is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there is a huge number of path patterns, attributes for a single pattern, or declared attribute names. These overflows can be triggered via...

RHSA-2023:0611: Red Hat Security Advisory: git security update

An update for git is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there is a huge number of path patterns, attributes for a single pattern, or declared attribute names. These overflows can be triggered via a crafted `.gitattributes...

RHSA-2023:0609: Red Hat Security Advisory: git security update

An update for git is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there i...

RHSA-2023:0596: Red Hat Security Advisory: git security update

An update for git is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there is a huge number of path patterns, attributes for a single pattern, or declared attribute names. These overflows can be triggered via...

RHSA-2023:0599: Red Hat Security Advisory: git security update

An update for git is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there is a huge number of path patterns, attributes for a single pattern, or declared attribute names. These overflows can be tri...

RHSA-2023:0597: Red Hat Security Advisory: rh-git227-git security update

An update for rh-git227-git is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there is a huge number of path patterns, attributes for a single pattern, or declared attribute names. These overflows can be triggered via a crafted `.g...

Debian Security Advisory 5332-1

Debian Linux Security Advisory 5332-1 - Multiple issues were found in Git, a distributed revision control system. An attacker may trigger remote code execution, cause local users into executing arbitrary commands, leak information from the local filesystem, and bypass restricted shell.

Debian Security Advisory 5332-1

Debian Linux Security Advisory 5332-1 - Multiple issues were found in Git, a distributed revision control system. An attacker may trigger remote code execution, cause local users into executing arbitrary commands, leak information from the local filesystem, and bypass restricted shell.

Ubuntu Security Notice USN-5810-2

Ubuntu Security Notice 5810-2 - USN-5810-1 fixed vulnerabilities in Git. This update introduced a regression as it was missing some commit lines. This update fixes the problem. Markus Vervier and Eric Sesterhenn discovered that Git incorrectly handled certain gitattributes. An attacker could possibly use this issue to cause a crash or execute arbitrary code.

Ubuntu Security Notice USN-5810-2

Ubuntu Security Notice 5810-2 - USN-5810-1 fixed vulnerabilities in Git. This update introduced a regression as it was missing some commit lines. This update fixes the problem. Markus Vervier and Eric Sesterhenn discovered that Git incorrectly handled certain gitattributes. An attacker could possibly use this issue to cause a crash or execute arbitrary code.

Update now! Two critical flaws in Git's code found, patched

CVE-2022-23521 and CVE-2022-41903 are critical flaws present in Git's code. Thankfully, they’ve been addressed in its latest version. (Read more...) The post Update now! Two critical flaws in Git's code found, patched appeared first on Malwarebytes Labs.

Update now! Two critical flaws in Git's code found, patched

CVE-2022-23521 and CVE-2022-41903 are critical flaws present in Git's code. Thankfully, they’ve been addressed in its latest version. (Read more...) The post Update now! Two critical flaws in Git's code found, patched appeared first on Malwarebytes Labs.

Ubuntu Security Notice USN-5810-1

Ubuntu Security Notice 5810-1 - Markus Vervier and Eric Sesterhenn discovered that Git incorrectly handled certain gitattributes. An attacker could possibly use this issue to cause a crash or execute arbitrary code. Joern Schneeweisz discovered that Git incorrectly handled certain commands. An attacker could possibly use this issue to cause a crash or execute arbitrary code.

Ubuntu Security Notice USN-5810-1

Ubuntu Security Notice 5810-1 - Markus Vervier and Eric Sesterhenn discovered that Git incorrectly handled certain gitattributes. An attacker could possibly use this issue to cause a crash or execute arbitrary code. Joern Schneeweisz discovered that Git incorrectly handled certain commands. An attacker could possibly use this issue to cause a crash or execute arbitrary code.

Git Users Urged to Update Software to Prevent Remote Code Execution Attacks

The maintainers of the Git source code version control system have released updates to remediate two critical vulnerabilities that could be exploited by a malicious actor to achieve remote code execution. The flaws, tracked as CVE-2022-23521 and CVE-2022-41903, impacts the following versions of Git: v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, v2.37.4, v2.38.2, and v2.39.0.

Git Users Urged to Update Software to Prevent Remote Code Execution Attacks

The maintainers of the Git source code version control system have released updates to remediate two critical vulnerabilities that could be exploited by a malicious actor to achieve remote code execution. The flaws, tracked as CVE-2022-23521 and CVE-2022-41903, impacts the following versions of Git: v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, v2.37.4, v2.38.2, and v2.39.0.

CVE-2022-41903: Heap overflow in `git archive`, `git log --format` leading to RCE

Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log --format=...`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to u...

CVE-2022-23521: gitattributes parsing integer overflow

Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a `.gitattributes` file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted `.gitattributes` file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both. This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. The problem has been patched i...