Headline
RHSA-2023:0610: Red Hat Security Advisory: git security update
An update for git is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there is a huge number of path patterns, attributes for a single pattern, or declared attribute names. These overflows can be triggered via a crafted
.gitattributes
file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index, or both. This integer overflow can result in arbitrary heap reads and writes, which may allow remote code execution. - CVE-2022-41903: A flaw was found in Git, a distributed revision control system. This issue occurs due to an integer overflow in pretty.c::format_and_pad_commit()
, where a
size_tis stored improperly as an
int, and then added as an offset to a
memcpy(). This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g.,
git log --format=…`). It may also be triggered indirectly through the git archive via the export-subst mechanism, which expands format specifiers inside files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may allow arbitrary code execution.
Synopsis
Important: git security update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for git is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.
Security Fix(es):
- git: gitattributes parsing integer overflow (CVE-2022-23521)
- git: Heap overflow in `git archive`, `git log --format` leading to RCE (CVE-2022-41903)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 8 x86_64
- Red Hat Enterprise Linux for IBM z Systems 8 s390x
- Red Hat Enterprise Linux for Power, little endian 8 ppc64le
- Red Hat Enterprise Linux for ARM 64 8 aarch64
Fixes
- BZ - 2162055 - CVE-2022-23521 git: gitattributes parsing integer overflow
- BZ - 2162056 - CVE-2022-41903 git: Heap overflow in `git archive`, `git log --format` leading to RCE
Red Hat Enterprise Linux for x86_64 8
SRPM
git-2.31.1-3.el8_7.src.rpm
SHA-256: e31f8525a5e73ac9267038da2130a7a527c33f9d240f0c40dd803817c1b29eff
x86_64
git-2.31.1-3.el8_7.x86_64.rpm
SHA-256: 9e4f36711c8aadfd59148bb045b282c86a9cf1498157a91636c5c5987e560419
git-all-2.31.1-3.el8_7.noarch.rpm
SHA-256: b44905add5e7ae0e43d792a3c05ee0adf2d40e3a57abec2f0ba0ffb3e56cee0c
git-core-2.31.1-3.el8_7.x86_64.rpm
SHA-256: 298fd1f8f5b15e5838b1a13b4fe24e04d7c07a543268a3c2bf418f8e062523ae
git-core-debuginfo-2.31.1-3.el8_7.x86_64.rpm
SHA-256: 22e442399afc320510e47f7ed29dd1f2bf5a19b4015036b4c34cbbbedc1ce8ce
git-core-doc-2.31.1-3.el8_7.noarch.rpm
SHA-256: d63442a8e95986bd260b386707cc5ea9db834b95b5e6d8cab4dcc331fe80de34
git-credential-libsecret-2.31.1-3.el8_7.x86_64.rpm
SHA-256: 86cb7664d2e1cea4a6c5d3f202be4b9d6422b4a237b298e88c5bb3f4e3a618b0
git-credential-libsecret-debuginfo-2.31.1-3.el8_7.x86_64.rpm
SHA-256: 192cf3dd3f59c058f4c34cc934576ddf7efd38f46e3edfe1fdcf29a89b0df328
git-daemon-2.31.1-3.el8_7.x86_64.rpm
SHA-256: fd88ff06c9ae3a38ee93bb35665799a8ac6f56bf75751b3455a69e15f486a86e
git-daemon-debuginfo-2.31.1-3.el8_7.x86_64.rpm
SHA-256: 22e61e3efaa3082fa9b87dbdec95426352471d62d4c3a80c8a38f4a9f1848972
git-debuginfo-2.31.1-3.el8_7.x86_64.rpm
SHA-256: e8744f5a5f80697581d0109b50d0d2a1c6f6dd2b7d398ebb070bea8e0fe1ce5c
git-debugsource-2.31.1-3.el8_7.x86_64.rpm
SHA-256: 6c505a7662f7796cbebb589f7a4b80901cd5fe7001c272aff302deb3b1ba90ba
git-email-2.31.1-3.el8_7.noarch.rpm
SHA-256: 3f8436e9d4fde20c35a170f6079a450f6d2d21f723fb1e84cdcdb03002defcc5
git-gui-2.31.1-3.el8_7.noarch.rpm
SHA-256: afb0d274c81be6cc487e169132840c016a089225cffbc647d5f315d21ca224a3
git-instaweb-2.31.1-3.el8_7.noarch.rpm
SHA-256: 8ab8d441cabeea0e6efc4a738750d1cd0f36094ea571e6ee7743b4508a9d1de7
git-subtree-2.31.1-3.el8_7.x86_64.rpm
SHA-256: a020f471954d48443061a32165b74b6a0c94739c2781ab2d332fb81c8c1f0569
git-svn-2.31.1-3.el8_7.noarch.rpm
SHA-256: 5250b8adcf2685ffb3adf4872c4b6834824dd8d345bd3321a0b75d2ad3f92762
gitk-2.31.1-3.el8_7.noarch.rpm
SHA-256: 7848aa797841b313ac7e18e18c65fa11a6eb4d879c1a8472fb19e069be2c30eb
gitweb-2.31.1-3.el8_7.noarch.rpm
SHA-256: 9416c1b49c2e1f5754945620846855dab553b82454ec29b2a3121035da2028b1
perl-Git-2.31.1-3.el8_7.noarch.rpm
SHA-256: 779754ac5f785315d20359bdb0660c7112659ebe4d3422c23206e6c347ac7bcd
perl-Git-SVN-2.31.1-3.el8_7.noarch.rpm
SHA-256: 426fc7644a262f0248959b4066b7937f5b68495287192423df002fd21ff51274
Red Hat Enterprise Linux for IBM z Systems 8
SRPM
git-2.31.1-3.el8_7.src.rpm
SHA-256: e31f8525a5e73ac9267038da2130a7a527c33f9d240f0c40dd803817c1b29eff
s390x
git-2.31.1-3.el8_7.s390x.rpm
SHA-256: 0038486feac171602d604394c70eb6b949901136ca67b7c8acc9827998eb4087
git-all-2.31.1-3.el8_7.noarch.rpm
SHA-256: b44905add5e7ae0e43d792a3c05ee0adf2d40e3a57abec2f0ba0ffb3e56cee0c
git-core-2.31.1-3.el8_7.s390x.rpm
SHA-256: babe6e93e43143b14ce7b2c96e26bec46602e57e03454809284c35595e9e69f5
git-core-debuginfo-2.31.1-3.el8_7.s390x.rpm
SHA-256: 92db5d2e68e8255debb3184ddb8d34bcf37121baee269a0e6ab446c1afbed167
git-core-doc-2.31.1-3.el8_7.noarch.rpm
SHA-256: d63442a8e95986bd260b386707cc5ea9db834b95b5e6d8cab4dcc331fe80de34
git-credential-libsecret-2.31.1-3.el8_7.s390x.rpm
SHA-256: c6a9d4dee6748abe2d19aeaaa93b7e07f50dea441e23effa6f4c878eb70c2b9c
git-credential-libsecret-debuginfo-2.31.1-3.el8_7.s390x.rpm
SHA-256: 7f2a083d8692647a32c8dc45bcbdbc23d5e5115b046d451c082ab043a766a7cd
git-daemon-2.31.1-3.el8_7.s390x.rpm
SHA-256: e10842d8173bdbe71b802fe476040365d4406b805d5a64ae62ef366fc5c8b12c
git-daemon-debuginfo-2.31.1-3.el8_7.s390x.rpm
SHA-256: a07c2503669465f25ec4ce897af230a3d22a95ca42d51e6e4572ef340dd786a3
git-debuginfo-2.31.1-3.el8_7.s390x.rpm
SHA-256: 7e75ea4ff01dda2ae5fffa6a15f15dfd4dde8bffc59d13c392b009073f9e72d0
git-debugsource-2.31.1-3.el8_7.s390x.rpm
SHA-256: 9e3e764a3fe4a6881033712653e2c2ac2ee173e4acd03131a850fd1deac9cf2e
git-email-2.31.1-3.el8_7.noarch.rpm
SHA-256: 3f8436e9d4fde20c35a170f6079a450f6d2d21f723fb1e84cdcdb03002defcc5
git-gui-2.31.1-3.el8_7.noarch.rpm
SHA-256: afb0d274c81be6cc487e169132840c016a089225cffbc647d5f315d21ca224a3
git-instaweb-2.31.1-3.el8_7.noarch.rpm
SHA-256: 8ab8d441cabeea0e6efc4a738750d1cd0f36094ea571e6ee7743b4508a9d1de7
git-subtree-2.31.1-3.el8_7.s390x.rpm
SHA-256: 976b572900f6b35c256b7aac4dcd28333ce7bbbdf1b8746763842c7c2a78f4f0
git-svn-2.31.1-3.el8_7.noarch.rpm
SHA-256: 5250b8adcf2685ffb3adf4872c4b6834824dd8d345bd3321a0b75d2ad3f92762
gitk-2.31.1-3.el8_7.noarch.rpm
SHA-256: 7848aa797841b313ac7e18e18c65fa11a6eb4d879c1a8472fb19e069be2c30eb
gitweb-2.31.1-3.el8_7.noarch.rpm
SHA-256: 9416c1b49c2e1f5754945620846855dab553b82454ec29b2a3121035da2028b1
perl-Git-2.31.1-3.el8_7.noarch.rpm
SHA-256: 779754ac5f785315d20359bdb0660c7112659ebe4d3422c23206e6c347ac7bcd
perl-Git-SVN-2.31.1-3.el8_7.noarch.rpm
SHA-256: 426fc7644a262f0248959b4066b7937f5b68495287192423df002fd21ff51274
Red Hat Enterprise Linux for Power, little endian 8
SRPM
git-2.31.1-3.el8_7.src.rpm
SHA-256: e31f8525a5e73ac9267038da2130a7a527c33f9d240f0c40dd803817c1b29eff
ppc64le
git-2.31.1-3.el8_7.ppc64le.rpm
SHA-256: 99ce73de956f4902bba382814df355a382ae756a5b9184a5d42e0a33a8c3fcde
git-all-2.31.1-3.el8_7.noarch.rpm
SHA-256: b44905add5e7ae0e43d792a3c05ee0adf2d40e3a57abec2f0ba0ffb3e56cee0c
git-core-2.31.1-3.el8_7.ppc64le.rpm
SHA-256: 986e43b3e347c8b30afa86a30869bdae9c3fce4eae58dbd5ecb33916bd4e930b
git-core-debuginfo-2.31.1-3.el8_7.ppc64le.rpm
SHA-256: 0575be10670cce84d29acc92304b0302c6b884092e1ab69a73a0aec066b291fa
git-core-doc-2.31.1-3.el8_7.noarch.rpm
SHA-256: d63442a8e95986bd260b386707cc5ea9db834b95b5e6d8cab4dcc331fe80de34
git-credential-libsecret-2.31.1-3.el8_7.ppc64le.rpm
SHA-256: aaacebb29e5bf3f0eeec3423ccb560b91d7fb49b80f41f0c60adc50ba98d6f5e
git-credential-libsecret-debuginfo-2.31.1-3.el8_7.ppc64le.rpm
SHA-256: 5167fa61b7a983eff36c13cfd61708789c5ef7850580e011fdc714a330471eda
git-daemon-2.31.1-3.el8_7.ppc64le.rpm
SHA-256: f99350d6264782b307c2b73f48791742baaf5630a48893a9d9ef26d26ebfe905
git-daemon-debuginfo-2.31.1-3.el8_7.ppc64le.rpm
SHA-256: b761f36110db6efe0122418914a7da168dd5befd0b739126466432d4263ea330
git-debuginfo-2.31.1-3.el8_7.ppc64le.rpm
SHA-256: fae8c753994bdb8f92ed91f5397eed61735ae0dbfc39f02a538447d4f7b6930d
git-debugsource-2.31.1-3.el8_7.ppc64le.rpm
SHA-256: c3bfe313ea317fdbe63fcddd501609bca6ae441890e66c4c7c6ef82491512719
git-email-2.31.1-3.el8_7.noarch.rpm
SHA-256: 3f8436e9d4fde20c35a170f6079a450f6d2d21f723fb1e84cdcdb03002defcc5
git-gui-2.31.1-3.el8_7.noarch.rpm
SHA-256: afb0d274c81be6cc487e169132840c016a089225cffbc647d5f315d21ca224a3
git-instaweb-2.31.1-3.el8_7.noarch.rpm
SHA-256: 8ab8d441cabeea0e6efc4a738750d1cd0f36094ea571e6ee7743b4508a9d1de7
git-subtree-2.31.1-3.el8_7.ppc64le.rpm
SHA-256: c701d69443438df3cdf02277c123c75ec8b8a417911e187096fbd39f52abdb72
git-svn-2.31.1-3.el8_7.noarch.rpm
SHA-256: 5250b8adcf2685ffb3adf4872c4b6834824dd8d345bd3321a0b75d2ad3f92762
gitk-2.31.1-3.el8_7.noarch.rpm
SHA-256: 7848aa797841b313ac7e18e18c65fa11a6eb4d879c1a8472fb19e069be2c30eb
gitweb-2.31.1-3.el8_7.noarch.rpm
SHA-256: 9416c1b49c2e1f5754945620846855dab553b82454ec29b2a3121035da2028b1
perl-Git-2.31.1-3.el8_7.noarch.rpm
SHA-256: 779754ac5f785315d20359bdb0660c7112659ebe4d3422c23206e6c347ac7bcd
perl-Git-SVN-2.31.1-3.el8_7.noarch.rpm
SHA-256: 426fc7644a262f0248959b4066b7937f5b68495287192423df002fd21ff51274
Red Hat Enterprise Linux for ARM 64 8
SRPM
git-2.31.1-3.el8_7.src.rpm
SHA-256: e31f8525a5e73ac9267038da2130a7a527c33f9d240f0c40dd803817c1b29eff
aarch64
git-2.31.1-3.el8_7.aarch64.rpm
SHA-256: 9c426cd2ba272879570c5f509b32d22789831e2797ea456d23dc94bb3df46dd1
git-all-2.31.1-3.el8_7.noarch.rpm
SHA-256: b44905add5e7ae0e43d792a3c05ee0adf2d40e3a57abec2f0ba0ffb3e56cee0c
git-core-2.31.1-3.el8_7.aarch64.rpm
SHA-256: f36522c737129ab89b8ad6aab919f17d6a018a892bff4671e09359399be928c2
git-core-debuginfo-2.31.1-3.el8_7.aarch64.rpm
SHA-256: f6884c6ba07ca8d63c8b2d6ed188a64b2692577351f123d80057e41ce6a16c01
git-core-doc-2.31.1-3.el8_7.noarch.rpm
SHA-256: d63442a8e95986bd260b386707cc5ea9db834b95b5e6d8cab4dcc331fe80de34
git-credential-libsecret-2.31.1-3.el8_7.aarch64.rpm
SHA-256: 0de059caf37f10915b5bc614f25b5372f503300bc28588843156aec6d38e8bed
git-credential-libsecret-debuginfo-2.31.1-3.el8_7.aarch64.rpm
SHA-256: 42c6554f634c17720737fe7f2841482ce5e353d9f440dd45ab70e5338d94551f
git-daemon-2.31.1-3.el8_7.aarch64.rpm
SHA-256: 5058d98c49538c0ee0c09390fcfdb32f64f9f9c0cc6278f1bb053ec3c00ec3bb
git-daemon-debuginfo-2.31.1-3.el8_7.aarch64.rpm
SHA-256: 5079d66fe2d086e2289969a178b67696fc15e269481c91d4d3be9d589a9798fe
git-debuginfo-2.31.1-3.el8_7.aarch64.rpm
SHA-256: d395cd5ab9eb5f9a3a57ee188d1a74ce5a7a46f4bb3f5714f942f3d169b1b6c5
git-debugsource-2.31.1-3.el8_7.aarch64.rpm
SHA-256: 81c5b31bc8ebca8ce4ba28d9d7151d26ae9588808075e9add9ac80c36c9c736e
git-email-2.31.1-3.el8_7.noarch.rpm
SHA-256: 3f8436e9d4fde20c35a170f6079a450f6d2d21f723fb1e84cdcdb03002defcc5
git-gui-2.31.1-3.el8_7.noarch.rpm
SHA-256: afb0d274c81be6cc487e169132840c016a089225cffbc647d5f315d21ca224a3
git-instaweb-2.31.1-3.el8_7.noarch.rpm
SHA-256: 8ab8d441cabeea0e6efc4a738750d1cd0f36094ea571e6ee7743b4508a9d1de7
git-subtree-2.31.1-3.el8_7.aarch64.rpm
SHA-256: fb97c34e4c78c62785503c2f746bd761af91f640338f5b6ecbd1da670375dd0d
git-svn-2.31.1-3.el8_7.noarch.rpm
SHA-256: 5250b8adcf2685ffb3adf4872c4b6834824dd8d345bd3321a0b75d2ad3f92762
gitk-2.31.1-3.el8_7.noarch.rpm
SHA-256: 7848aa797841b313ac7e18e18c65fa11a6eb4d879c1a8472fb19e069be2c30eb
gitweb-2.31.1-3.el8_7.noarch.rpm
SHA-256: 9416c1b49c2e1f5754945620846855dab553b82454ec29b2a3121035da2028b1
perl-Git-2.31.1-3.el8_7.noarch.rpm
SHA-256: 779754ac5f785315d20359bdb0660c7112659ebe4d3422c23206e6c347ac7bcd
perl-Git-SVN-2.31.1-3.el8_7.noarch.rpm
SHA-256: 426fc7644a262f0248959b4066b7937f5b68495287192423df002fd21ff51274
Related news
Atlassian has released updates to address three security flaws impacting its Confluence Server, Data Center, and Bamboo Data Center products that, if successfully exploited, could result in remote code execution on susceptible systems. The list of the flaws is below - CVE-2023-22505 (CVSS score: 8.0) - RCE (Remote Code Execution) in Confluence Data Center and Server (Fixed in versions 8.3.2 and
Red Hat Security Advisory 2023-1677-01 - The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. The ovirt-node-ng packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. Issues addressed include heap overflow and integer overflow vulnerabilities.
Red Hat Security Advisory 2023-1158-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.31. Issues addressed include a denial of service vulnerability.
Ubuntu Security Notice 5810-4 - USN-5810-1 fixed several vulnerabilities in Git. This update provides the corresponding update for Ubuntu 14.04 ESM. Markus Vervier and Eric Sesterhenn discovered that Git incorrectly handled certain gitattributes. An attacker could possibly use this issue to cause a crash or execute arbitrary code.
Red Hat Security Advisory 2023-0978-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Issues addressed include heap overflow and integer overflow vulnerabilities.
Migration Toolkit for Applications 6.0.1 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36567: A flaw was found in gin. This issue occurs when the default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path. * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to...
Red Hat OpenShift Container Platform release 4.11.28 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: A flaw was found in goutils where randomly generated alphanumeric strings contain significantly less entropy than expected. Both the `RandomAlphaNumeric` and `CryptoRandomAlphaNumeric` functions always return strings containing at least one digit from 0 to 9. This issu...
Red Hat OpenShift Container Platform release 4.12.4 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total numb...
Red Hat Security Advisory 2023-0802-01 - An update is now available for Red Hat OpenShift GitOps 1.6. Red Hat Product Security has rated this update as having a security impact of Important.
Red Hat Security Advisory 2023-0794-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.4 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.
Red Hat Security Advisory 2023-0633-01 - Logging Subsystem 5.5.7 - Red Hat OpenShift.
Red Hat Advanced Cluster Management for Kubernetes 2.6.4 General Availability release images, which fix bugs and update container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24999: qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload i...
An update is now available for the Logging subsystem for Red Hat OpenShift 5.4. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-30123: A flaw was found in ruby gem-rack. This flaw allows a malicious actor to craft requests that can cause shell escape sequences to be written to the terminal via rack's `Lint` middleware and `CommonLogger` middleware. This issue can leverage these escape sequences to execute commands in the victim's terminal. * CVE-2022-41717: A flaw was f...
Red Hat Security Advisory 2023-0627-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Issues addressed include heap overflow and integer overflow vulnerabilities.
Red Hat Security Advisory 2023-0628-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Issues addressed include heap overflow and integer overflow vulnerabilities.
Red Hat Security Advisory 2023-0599-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Issues addressed include heap overflow and integer overflow vulnerabilities.
Red Hat Security Advisory 2023-0609-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Issues addressed include heap overflow and integer overflow vulnerabilities.
Red Hat Security Advisory 2023-0610-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Issues addressed include heap overflow and integer overflow vulnerabilities.
An update for git is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there is a huge number of path patterns, attributes for a single pattern, or declared attribute names. These overflows can be triggered via...
An update for git is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there is a huge number of path patterns, attributes for a single pattern, or declared attribute names. These overflows can be triggered via...
An update for git is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there is a huge number of path patterns, attributes for a single pattern, or declared attribute names. These overflows can be triggered via a crafted `.gitattributes...
An update for git is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there i...
An update for git is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there is a huge number of path patterns, attributes for a single pattern, or declared attribute names. These overflows can be triggered via...
An update for git is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there is a huge number of path patterns, attributes for a single pattern, or declared attribute names. These overflows can be tri...
An update for rh-git227-git is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23521: A flaw was found in Git, a distributed revision control system. When parsing gitattributes, a mechanism to allow defining attributes for paths, multiple integer overflows can occur when there is a huge number of path patterns, attributes for a single pattern, or declared attribute names. These overflows can be triggered via a crafted `.g...
Debian Linux Security Advisory 5332-1 - Multiple issues were found in Git, a distributed revision control system. An attacker may trigger remote code execution, cause local users into executing arbitrary commands, leak information from the local filesystem, and bypass restricted shell.
Debian Linux Security Advisory 5332-1 - Multiple issues were found in Git, a distributed revision control system. An attacker may trigger remote code execution, cause local users into executing arbitrary commands, leak information from the local filesystem, and bypass restricted shell.
Ubuntu Security Notice 5810-2 - USN-5810-1 fixed vulnerabilities in Git. This update introduced a regression as it was missing some commit lines. This update fixes the problem. Markus Vervier and Eric Sesterhenn discovered that Git incorrectly handled certain gitattributes. An attacker could possibly use this issue to cause a crash or execute arbitrary code.
Ubuntu Security Notice 5810-2 - USN-5810-1 fixed vulnerabilities in Git. This update introduced a regression as it was missing some commit lines. This update fixes the problem. Markus Vervier and Eric Sesterhenn discovered that Git incorrectly handled certain gitattributes. An attacker could possibly use this issue to cause a crash or execute arbitrary code.
CVE-2022-23521 and CVE-2022-41903 are critical flaws present in Git's code. Thankfully, they’ve been addressed in its latest version. (Read more...) The post Update now! Two critical flaws in Git's code found, patched appeared first on Malwarebytes Labs.
CVE-2022-23521 and CVE-2022-41903 are critical flaws present in Git's code. Thankfully, they’ve been addressed in its latest version. (Read more...) The post Update now! Two critical flaws in Git's code found, patched appeared first on Malwarebytes Labs.
Ubuntu Security Notice 5810-1 - Markus Vervier and Eric Sesterhenn discovered that Git incorrectly handled certain gitattributes. An attacker could possibly use this issue to cause a crash or execute arbitrary code. Joern Schneeweisz discovered that Git incorrectly handled certain commands. An attacker could possibly use this issue to cause a crash or execute arbitrary code.
Ubuntu Security Notice 5810-1 - Markus Vervier and Eric Sesterhenn discovered that Git incorrectly handled certain gitattributes. An attacker could possibly use this issue to cause a crash or execute arbitrary code. Joern Schneeweisz discovered that Git incorrectly handled certain commands. An attacker could possibly use this issue to cause a crash or execute arbitrary code.
The maintainers of the Git source code version control system have released updates to remediate two critical vulnerabilities that could be exploited by a malicious actor to achieve remote code execution. The flaws, tracked as CVE-2022-23521 and CVE-2022-41903, impacts the following versions of Git: v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, v2.37.4, v2.38.2, and v2.39.0.
The maintainers of the Git source code version control system have released updates to remediate two critical vulnerabilities that could be exploited by a malicious actor to achieve remote code execution. The flaws, tracked as CVE-2022-23521 and CVE-2022-41903, impacts the following versions of Git: v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, v2.37.4, v2.38.2, and v2.39.0.
Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log --format=...`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to u...
Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a `.gitattributes` file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted `.gitattributes` file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both. This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. The problem has been patched i...