As shown at https://ubuntu.com/security/CVE-2022-23521, Canonical *did* provide a fix for this, including for the three versions of Ubuntu mentioned here (18.04 bionic, 20.04 focal, 22.04 jammy). That Ubuntu Security Notice was published a day before this bug report was opened, and unless I'm missing something, it looks like this bug report was based on a misconception about how security patches and their associated versioning works.
Most security patches in Debian, Ubuntu, and most (though not all) distros are are provided as patched versions that add only the fix for the security vulnerability, without new feature changes. In Ubuntu, this relates to https://wiki.ubuntu.com/StableReleaseUpdates. That is what https://bugs.launchpad.net/ubuntu/+source/git/+bug/2003204/comments/1 above is referring to. The fixed packages' version numbers did not match the expectation expressed in the bug description here, but they did fix the bug. Of course, it can still be valuable to use ppa:git-core/ppa if one wants the *features* of a new git version, such as performance, additional options, more user-friendly messages, and so forth. But getting fixes for security vulnerabilities does not generally require this, and did not require it in the case of CVE-2022-23521. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2003204 Title: Update git because of CVE-2022-23521 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/2003204/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
