Your message dated Tue, 18 Oct 2022 23:23:54 +0200
with message-id <[email protected]>
and subject line Accepted git 1:2.37.2-1 (source) into unstable
has caused the Debian Bug report #1014848,
regarding git: CVE-2022-29187
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1014848: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014848
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: git
Version: 1:2.36.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for git.
CVE-2022-29187[0]:
| Git is a distributed revision control system. Git prior to versions
| 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is
| vulnerable to privilege escalation in all platforms. An unsuspecting
| user could still be affected by the issue reported in CVE-2022-24765,
| for example when navigating as root into a shared tmp directory that
| is owned by them, but where an attacker could create a git repository.
| Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and
| 2.30.5 contain a patch for this issue. The simplest way to avoid being
| affected by the exploit described in the example is to avoid running
| git as root (or an Administrator in Windows), and if needed to reduce
| its use to a minimum. While a generic workaround is not possible, a
| system could be hardened from the exploit described in the example by
| removing any such repository if it exists already and creating one as
| root to block any future attacks.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-29187
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29187
[1] https://lists.q42.co.uk/pipermail/git-announce/2022-July/001250.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: git
Source-Version: 1:2.37.2-1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 12 Aug 2022 19:27:24 -0700
Source: git
Architecture: source
Version: 1:2.37.2-1
Distribution: unstable
Urgency: low
Maintainer: Jonathan Nieder <[email protected]>
Changed-By: Jonathan Nieder <[email protected]>
Closes: 1016723
Changes:
git (1:2.37.2-1) unstable; urgency=low
.
* new upstream release (closes: #1016723; see RelNotes/2.37.0.txt,
RelNotes/2.37.1.txt, RelNotes/2.37.2.txt).
Checksums-Sha1:
846c7609ea14b46b41d584e773ff988e6e5cc730 2825 git_2.37.2-1.dsc
5a24a44833f8905cfbc5baac04d9e3ac3234be4c 6985408 git_2.37.2.orig.tar.xz
3096c2fdb54539231fefa2049d777239c58ad93c 725108 git_2.37.2-1.debian.tar.xz
2504b26f5f7f7171f197bc026dff5bbc1ef0a376 12173 git_2.37.2-1_amd64.buildinfo
Checksums-Sha256:
92777ba703cc890d175120bef50ba2cff8b33ad55c508b00620681c780679c27 2825
git_2.37.2-1.dsc
1c3d9c821c4538e7a6dac30a4af8bd8dcfe4f651f95474c526b52f83406db003 6985408
git_2.37.2.orig.tar.xz
a27527a539b4bfddc6129398f5352627b42c7c7f40be0f66b8307e8672dc171b 725108
git_2.37.2-1.debian.tar.xz
d0b3fe8cabfd3155633b9af31a904f5ff28a536e7ada41dfa69a34ad38c9b986 12173
git_2.37.2-1_amd64.buildinfo
Files:
ada409f671a99789d169bdf6f6096af1 2825 vcs optional git_2.37.2-1.dsc
2e4cb4fe7f778a9f621a735ba0585009 6985408 vcs optional git_2.37.2.orig.tar.xz
4c22c726f522096754048e3e786cc2a3 725108 vcs optional git_2.37.2-1.debian.tar.xz
b368625f02b41bbfe4eb1a5e2c58e645 12173 vcs optional
git_2.37.2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCAAxFiEEUh5Y8X6W1xKqD/EC38Zx7rMz+iUFAmL3EVUTHGpybmllZGVy
QGdtYWlsLmNvbQAKCRDfxnHuszP6JXh2D/9lNnQDU+edjHsdig79OtPXEttD1L8u
9/WiAYDoWn3wZaKaIBYrX0UjLR9vPZWI0DOuQqM5X562v5GVaPvHb6E2VceGEOZd
auaqvHP7kOhxtnQhCIiX0MzIJpjozu/J2dLmpGbnmkcrylkQCcjQjs4Llsxaerf1
GlDoSSnz1skKBspEcuWNxa9Uc180JnpSWH/4lcUdCfDSEolb+lzGlL8SUNpRloTo
QQjYdZNgkW9776phxaB3+CZov5zSttXMm1vsDJAOfODcipkq1ZzNhr+DemfcRRAn
mOC9NCsFgPhV1vvK/SQgvqxzM1yWprSFPsJvZPTYoQr0elV6B/oFkaT97yaAUIkM
YgC0r7Oksk9dWGxlpn1JIr+TUV+hz28aTZWKLCkg53pTVvGLWZMqGZWBFiNckIA9
lNMWKvYP0QECR7G5M/+onrK3t1HzNjLRA8A51QC93fwhlGA/5bHmUbSlvxfT8xtS
ZvXBaDBafQuyln4rz1LRf01xE3myrJDsZIEf9VNn1yBKYcxeJCkoZbqXRsFw9pvF
YeEAoQHVwnEJwsZJQ93BhIFtACI4lAJ6foogpGdKUAVB1+y1+kvpKLXwIGm8w86p
0n+mVb+PTiuaw6+PQTJDsLcBduS/iHXShncXmOismB/Aun0tbB3e354kr9PQv3gE
LFvtSBWXc8mjsg==
=5Hy5
-----END PGP SIGNATURE-----
--- End Message ---
