Fast Version Control System
From the release notes for 2.30.8¹: * CVE-2023-22490: Using a specially-crafted repository, Git can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source $GIT_DIR/objects directory contains symbolic links (c.f., CVE-2022-39253), the objects directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253. * CVE-2023-23946: By feeding a crafted input to "git apply", a path outside the working tree can be overwritten as the user who is running "git apply". * A mismatched type in `attr.c::read_attr_from_index()` which could cause Git to errantly reject attributes on Windows and 32-bit Linux has been corrected. Credit for finding CVE-2023-22490 goes to yvvdwf, and the fix was developed by Taylor Blau, with additional help from others on the Git security mailing list. Credit for finding CVE-2023-23946 goes to Joern Schneeweisz, and the fix was developed by Patrick Steinhardt. ¹ https://github.com/git/git/raw/v2.39.2/Documentation/RelNotes/2.30.8.txt |
||
---|---|---|
.gitignore | ||
.mailmap | ||
0001-t-lib-httpd-try-harder-to-find-a-port-for-apache.patch | ||
0002-t-lib-git-daemon-try-harder-to-find-a-port.patch | ||
0003-t-lib-git-svn-try-harder-to-find-a-port.patch | ||
git-cvsimport-Ignore-cvsps-2.2b1-Branches-output.patch | ||
git-gui.desktop | ||
git.rpmlintrc | ||
git.skip-test-patterns | ||
git.socket | ||
git.spec | ||
git.xinetd.in | ||
git@.service.in | ||
gitweb-httpd.conf | ||
gitweb.conf.in | ||
gpgkey-junio.asc | ||
print-failed-test-output | ||
sources |