Your message dated Fri, 22 Aug 2025 10:47:08 +0000
with message-id <[email protected]>
and subject line Bug#1108983: fixed in git 1:2.47.3-0+deb13u1
has caused the Debian Bug report #1108983,
regarding git: CVE-2025-27613 CVE-2025-27614 CVE-2025-46835 CVE-2025-48384
CVE-2025-48385 CVE-2025-48386
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1108983: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108983
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: git
Version: 1:2.50.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
The following vulnerabilities were published for git.
CVE-2025-27613[0], CVE-2025-27614[1], CVE-2025-46835[2],
CVE-2025-48384[3], CVE-2025-48385[4] and CVE-2025-48386[5].
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-27613
https://www.cve.org/CVERecord?id=CVE-2025-27613
[1] https://security-tracker.debian.org/tracker/CVE-2025-27614
https://www.cve.org/CVERecord?id=CVE-2025-27614
[2] https://security-tracker.debian.org/tracker/CVE-2025-46835
https://www.cve.org/CVERecord?id=CVE-2025-46835
[3] https://security-tracker.debian.org/tracker/CVE-2025-48384
https://www.cve.org/CVERecord?id=CVE-2025-48384
[4] https://security-tracker.debian.org/tracker/CVE-2025-48385
https://www.cve.org/CVERecord?id=CVE-2025-48385
[5] https://security-tracker.debian.org/tracker/CVE-2025-48386
https://www.cve.org/CVERecord?id=CVE-2025-48386
[6] https://lore.kernel.org/git/[email protected]/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: git
Source-Version: 1:2.47.3-0+deb13u1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
git, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated git package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 30 Jul 2025 21:10:52 +0300
Source: git
Architecture: source
Version: 1:2.47.3-0+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Jonathan Nieder <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1108983
Changes:
git (1:2.47.3-0+deb13u1) trixie; urgency=medium
.
* Non-maintainer upload.
* New upstream release.
- CVE-2025-27613: gitk: file creation/truncation after cloning
untrusted repository
- CVE-2025-27614: gitk: user can be tricked into running any
script after cloning untrusted repository
- CVE-2025-46835: git-gui: file creation/overwriting after
cloning untrusted repository
- CVE-2025-48384: script execution after cloning untrusted
repository
- CVE-2025-48385: protocol injection when fetching
- Closes: #1108983
Checksums-Sha1:
ee3209ec18d30a2cd71330998debf84c51431edc 2702 git_2.47.3-0+deb13u1.dsc
408774745b5dadeddcf1e7223201927123e504ea 7657416 git_2.47.3.orig.tar.xz
7242067a7c86f70fbd239d3d479a855b0ce320b9 793112
git_2.47.3-0+deb13u1.debian.tar.xz
Checksums-Sha256:
41ee783af84774dfab31ff6af54a07f70513dd09914e2d622626f4dfecae0a86 2702
git_2.47.3-0+deb13u1.dsc
9c2eb1250781b3e5bfef098572d07fdf132d67e6c065e4307332ade9819a1501 7657416
git_2.47.3.orig.tar.xz
db44b90ab928d41959f5945a49fcaa101385a4bd085b118b5fd40162a0a84066 793112
git_2.47.3-0+deb13u1.debian.tar.xz
Files:
14b7604dd821e2f027cf46b336f9413b 2702 vcs optional git_2.47.3-0+deb13u1.dsc
467860ca61d8840cda3fb10db687f771 7657416 vcs optional git_2.47.3.orig.tar.xz
f42dbbc65c6800848bb2aa481e3fd8e4 793112 vcs optional
git_2.47.3-0+deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmioOagACgkQiNJCh6LY
mLEntA/6A83dw3PrPSwn8BF8B+q/GVsTvYNRU5YfKiYTMdKp+8K3DP8BL15xxRqf
jU4EiOfZ29RixiBdwc868qw5xaJEZePmEYTC2oOaAygdzOnyfC9L9yAfHattD8XS
COTZs8+12CIYBuvGBMxdudHaMKypk6MRz++zg4Cd7qiP8/w/GflxfXp/vYVZnJF1
8E+iPmB/XlwXQkE5wNVbNSEJ9NpWxf1CAKXDe4sALS7kNRwj3Zfqdh6lZXfqspFe
xxYjlV2yzzdipohygkyQeBHaT9uT7dIU5UJ6g28gSODy9dZNsWrjAPsFJ9uIicix
AtXo1RSHdj1Nax1LU953J6NNUXImpTj8IbTgwaIGeyQo8bi82Lo0vQdX9/pnqIaS
bx7lI9cuTtgNaLFN3lAJVfzXLDP+ssr0Op5AL3soWxENLi3jNawctig2rE8Ned3Q
7OVz6u3Jv0G44Wfqoa7V+lzcpP0hkYtI4P8OEAB6zoPUrx2maKubSe1k+O+/Uwp3
OMbktEeVXE4aIXTPrW0CLVxXqty/A5jF9YXr4vq8Fj3Rg/7NoOnHfvZkwmci/Mm+
ubnFGHr+c9vY3ON+ias6hdTLj14MwALJ0hTDCdHdmcTuHOekNuMuK/ciWNcYRFve
a2FAhKGtWin0tHFgVfy4vZK3fhkjk+Xii8iQ9Z76JCI6SK+Xr54=
=0ZPE
-----END PGP SIGNATURE-----
pgpoiyVpga0fE.pgp
Description: PGP signature
--- End Message ---
