Your message dated Tue, 01 Nov 2022 02:34:48 +0000 with message-id <e1oph72-00byar...@fasolo.debian.org> and subject line Bug#1022046: fixed in git 1:2.38.1-1 has caused the Debian Bug report #1022046, regarding git: CVE-2022-39253 CVE-2022-39260 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1022046: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022046 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: git Version: 1:2.30.2-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1:2.37.2-1 Hi, The following vulnerabilities were published for git. CVE-2022-39253[0] and CVE-2022-39260[1]. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-39253 https://www.cve.org/CVERecord?id=CVE-2022-39253 [1] https://security-tracker.debian.org/tracker/CVE-2022-39260 https://www.cve.org/CVERecord?id=CVE-2022-39260 [2] https://www.openwall.com/lists/oss-security/2022/10/18/5 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: git Source-Version: 1:2.38.1-1 Done: Jonathan Nieder <jrnie...@gmail.com> We believe that the bug you reported is fixed in the latest version of git, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1022...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jonathan Nieder <jrnie...@gmail.com> (supplier of updated git package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 31 Oct 2022 18:32:00 -0700 Source: git Architecture: source Version: 1:2.38.1-1 Distribution: unstable Urgency: medium Maintainer: Jonathan Nieder <jrnie...@gmail.com> Changed-By: Jonathan Nieder <jrnie...@gmail.com> Closes: 1022046 Changes: git (1:2.38.1-1) unstable; urgency=medium . * new upstream release (closes: #1022046; see RelNotes/2.38.0.txt, RelNotes/2.38.1.txt). * Addresses the security issue CVE-2022-39253: cloning an attacker-controlled local repository could store arbitrary files in the ".git" directory of the destination repository. . Thanks to Cory Snider of Mirantis for reporting this vulnerability and Taylor Blau for the mitigation. . * Addresses CVE-2022-39260: a long command string passed to a `git shell` configured to support custom commands could overflow and run arbitrary code. . Thanks to Kevin Backhouse of GitHub for reporting this vulnerability and Kevin Backhouse, Jeff King, and Taylor Blau for mitigating it. Checksums-Sha1: 449c41de458306bfdb5c3799304325abedf3c1b4 2825 git_2.38.1-1.dsc a1886780a89423ddb600e141d44751480eb1413f 7088208 git_2.38.1.orig.tar.xz 488bf4953a4480e6bcbc0f751caede0e2b938cd0 733140 git_2.38.1-1.debian.tar.xz 4ff32dc38d82a5ee5c99a9c3e98de859830a1e00 12288 git_2.38.1-1_amd64.buildinfo Checksums-Sha256: 500be7ab00360288196aaf434efcc15e733e90dfb02157483e48196a8d56fe89 2825 git_2.38.1-1.dsc 97ddf8ea58a2b9e0fbc2508e245028ca75911bd38d1551616b148c1aa5740ad9 7088208 git_2.38.1.orig.tar.xz b2aec5827639f2f939774f457414a6b46f1fce1f014f76a1a48f12a980c3baca 733140 git_2.38.1-1.debian.tar.xz 07d50f78c51a4b7ab5aeb01f35a509a0b612f926c2ec73de495a05f8af80137c 12288 git_2.38.1-1_amd64.buildinfo Files: af8a914ca17fccdf2bb81a9ccd0f0e52 2825 vcs optional git_2.38.1-1.dsc abdafbfb85d205421903a2100c734b17 7088208 vcs optional git_2.38.1.orig.tar.xz 0f6b1dbbd7cf870b4433769c3d72e6a0 733140 vcs optional git_2.38.1-1.debian.tar.xz ccb61ddd515c72e896217e91166c5652 12288 vcs optional git_2.38.1-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJHBAEBCAAxFiEEUh5Y8X6W1xKqD/EC38Zx7rMz+iUFAmNge4MTHGpybmllZGVy QGdtYWlsLmNvbQAKCRDfxnHuszP6JZmhEACXloP5VyGShmkzXieZfdL+SE+8eURk JQ3Xuh6/Nzm0sdpHBcO1AQqlLoOJ9X/vx1BPZAW+B8j2SGYv96LmshkZebCb/j81 /8jhG+9y6Aip8zFCvHQ+wYqkgg3JTkeDEjNjvNx5tkvZpd8+Hf6Ou1J1nBfhnVTH f7mceBwaJRoXB77fFDH4ypx3KrHkmJRYQh69PmQbOP/PcFEV9x0K7fjnlzTrmTvP 9vMckRQJjBlE8qPge/f5Pcr9l5JzUaOtnh6nz8jqvERb6F27mczjwajHvr+TuUH6 Hx041mhspnmBiDcsYQoqUA6dsoai5fDuTj4NU9ROzz6I/Tze8tuXaCyjnBJzfxyj jJU8fXE1sYJ6GYLg55F+Py6SeJLhshXVfqyjxKNxVU7qF97RBfbE1jqFE8EBxYzV be916Km2zScRqbhjIrbAt7SXYvN6eJZ2FgFp+z4SXytvF8n3LqQFBfWSNQ5Dyt7N q8VyuTyfEI3FFc+EyWhRKu6k8jrXbTgDYxxPz1i+3k/EMZVbwvE/pjqQ+vljyQg2 K3O2MCyWtfxgwn7eaxv6s/+5O25gQVQQD4qaBX2j94cb3F2fz94fLy6QcKrXlu38 LzlFeRNNLwPp6U1hEGMCOLW4JxlMzKfo4ZR6fi310l4t0A3047vKsZriAxRS+yPE fUVaUCFp0SwxmQ== =pgxD -----END PGP SIGNATURE-----
--- End Message ---
