Source: git Version: 1:2.36.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for git. CVE-2022-29187[0]: | Git is a distributed revision control system. Git prior to versions | 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is | vulnerable to privilege escalation in all platforms. An unsuspecting | user could still be affected by the issue reported in CVE-2022-24765, | for example when navigating as root into a shared tmp directory that | is owned by them, but where an attacker could create a git repository. | Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and | 2.30.5 contain a patch for this issue. The simplest way to avoid being | affected by the exploit described in the example is to avoid running | git as root (or an Administrator in Windows), and if needed to reduce | its use to a minimum. While a generic workaround is not possible, a | system could be hardened from the exploit described in the example by | removing any such repository if it exists already and creating one as | root to block any future attacks. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-29187 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29187 [1] https://lists.q42.co.uk/pipermail/git-announce/2022-July/001250.html Please adjust the affected versions in the BTS as needed. Regards, Salvatore
