Your message dated Mon, 20 Jan 2025 18:34:27 +0000
with message-id <[email protected]>
and subject line Bug#1093048: fixed in git-lfs 3.5.0-2
has caused the Debian Bug report #1093048,
regarding git-lfs: CVE-2024-53263
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1093048: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1093048
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: git-lfs
Version: 3.5.0-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 3.3.0-1
Control: found -1 2.13.2-1
Hi,
The following vulnerability was published for git-lfs.
CVE-2024-53263[0]:
| Git LFS is a Git extension for versioning large files. When Git LFS
| requests credentials from Git for a remote host, it passes portions
| of the host's URL to the `git-credential(1)` command without
| checking for embedded line-ending control characters, and then sends
| any credentials it receives back from the Git credential helper to
| the remote host. By inserting URL-encoded control characters such as
| line feed (LF) or carriage return (CR) characters into the URL, an
| attacker may be able to retrieve a user's Git credentials. This
| problem exists in all previous versions and is patched in v3.6.1.
| All users should upgrade to v3.6.1. There are no workarounds known
| at this time.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-53263
https://www.cve.org/CVERecord?id=CVE-2024-53263
[1] https://github.com/git-lfs/git-lfs/security/advisories/GHSA-q6r2-x2cc-vrp7
[2]
https://github.com/git-lfs/git-lfs/commit/0345b6f816e611d050c0df67b61f0022916a1c90
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: git-lfs
Source-Version: 3.5.0-2
Done: Andrej Shadura <[email protected]>
We believe that the bug you reported is fixed in the latest version of
git-lfs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andrej Shadura <[email protected]> (supplier of updated git-lfs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 20 Jan 2025 18:36:43 +0100
Source: git-lfs
Architecture: source
Version: 3.5.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Andrej Shadura <[email protected]>
Closes: 1093048
Changes:
git-lfs (3.5.0-2) unstable; urgency=medium
.
* Team upload.
* Apply upstream patch for CVE-2024-53263:
- Reject LF bytes in credential data.
Closes: #1093048.
Checksums-Sha1:
86716fd8de26009814cef0af262607c6dca6f219 2111 git-lfs_3.5.0-2.dsc
82f5ce3a4cd8ce8452bf12675463737b4a00b712 8100 git-lfs_3.5.0-2.debian.tar.xz
d0aa03db17b79f7d01fa416fb5db483728540692 8667 git-lfs_3.5.0-2_source.buildinfo
Checksums-Sha256:
59875eb442ffc4b950ae4e6b6e67909454312fd478d0d9202aee68ab6cd43a91 2111
git-lfs_3.5.0-2.dsc
6df2045a4d38c31cb435c1318a8f14bb11a7b1a2149aef2c29831dd30cb4387a 8100
git-lfs_3.5.0-2.debian.tar.xz
43db7ea7bb010c87db8cc6e9529a30ad276d74291b282f4bc18239f82df25eb5 8667
git-lfs_3.5.0-2_source.buildinfo
Files:
6f40a3f40e66cca1432dfe042bedf909 2111 vcs optional git-lfs_3.5.0-2.dsc
7f0db6e950f1b5a132ee7e521a8364c8 8100 vcs optional
git-lfs_3.5.0-2.debian.tar.xz
0bf5f7fde59da78d9596dbba8c76ad1e 8667 vcs optional
git-lfs_3.5.0-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQSD3NF/RLIsyDZW7aHoRGtKyMdyYQUCZ46U7AAKCRDoRGtKyMdy
YVhcAQD3rt1FItTtw4s4ts1Tp1peGE/SOeoP21k62bJvEg2pagEA10mLa+kKeX0A
D6+GT+ENvvJ40xp021wvdsHQg6+NJw8=
=ckbk
-----END PGP SIGNATURE-----
pgps_CmMP39t2.pgp
Description: PGP signature
--- End Message ---
