Your message dated Tue, 21 Jan 2025 13:05:27 +0000
with message-id <e1tadwd-003ilz...@fasolo.debian.org>
and subject line Bug#1093042: fixed in git 1:2.47.2-0.1
has caused the Debian Bug report #1093042,
regarding git: CVE-2024-50349 CVE-2024-52006
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1093042: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1093042
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: git
Version: 1:2.39.5-0+deb12u1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 1:2.45.2-1
Control: found -1 1:2.47.1-1
Hi,
The following vulnerabilities were published for git.
CVE-2024-50349[0]:
| Git is a fast, scalable, distributed revision control system with an
| unusually rich command set that provides both high-level operations
| and full access to internals. When Git asks for credentials via a
| terminal prompt (i.e. without using any credential helper), it
| prints out the host name for which the user is expected to provide a
| username and/or a password. At this stage, any URL-encoded parts
| have been decoded already, and are printed verbatim. This allows
| attackers to craft URLs that contain ANSI escape sequences that the
| terminal interpret to confuse users e.g. into providing passwords
| for trusted Git hosting sites when in fact they are then sent to
| untrusted sites that are under the attacker's control. This issue
| has been patch via commits `7725b81` and `c903985` which are
| included in release versions v2.48.1, v2.47.1, v2.46.3, v2.45.3,
| v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised
| to upgrade. Users unable to upgrade should avoid cloning from
| untrusted URLs, especially recursive clones.
CVE-2024-52006[1]:
| Git is a fast, scalable, distributed revision control system with an
| unusually rich command set that provides both high-level operations
| and full access to internals. Git defines a line-based protocol that
| is used to exchange information between Git and Git credential
| helpers. Some ecosystems (most notably, .NET and node.js) interpret
| single Carriage Return characters as newlines, which renders the
| protections against CVE-2020-5260 incomplete for credential helpers
| that treat Carriage Returns in this way. This issue has been
| addressed in commit `b01b9b8` which is included in release versions
| v2.48.1, v2.47.1, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4,
| v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to
| upgrade should avoid cloning from untrusted URLs, especially
| recursive clones.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-50349
https://www.cve.org/CVERecord?id=CVE-2024-50349
[1] https://security-tracker.debian.org/tracker/CVE-2024-52006
https://www.cve.org/CVERecord?id=CVE-2024-52006
[2] https://www.openwall.com/lists/oss-security/2025/01/14/4
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: git
Source-Version: 1:2.47.2-0.1
Done: Salvatore Bonaccorso <car...@debian.org>
We believe that the bug you reported is fixed in the latest version of
git, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1093...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated git package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 19 Jan 2025 09:06:17 +0100
Source: git
Architecture: source
Version: 1:2.47.2-0.1
Distribution: unstable
Urgency: medium
Maintainer: Jonathan Nieder <jrnie...@gmail.com>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 1093042
Changes:
git (1:2.47.2-0.1) unstable; urgency=medium
.
* Non-maintainer upload.
* new upstream release (see Documentation/RelNotes/2.47.2.txt; addresses
CVE-2024-50349 and CVE-2024-52006; Closes: #1093042).
Checksums-Sha1:
6fbdd3e1a42743fa9c6c425274a90e29766ab91e 2832 git_2.47.2-0.1.dsc
c25c36a94f195dc1e6f07b5584adbd450f112fa8 7655652 git_2.47.2.orig.tar.xz
c4e92058a90d3a494537151ee859d5c353c3ac98 792848 git_2.47.2-0.1.debian.tar.xz
31364e2b2456f68fe5a9d90a1a9c2b798ee20932 8828 git_2.47.2-0.1_source.buildinfo
Checksums-Sha256:
0ff8e1ffeb1471f012ee2b93bcf21ceb2776abd88b1e9a171771f94d13eecde6 2832
git_2.47.2-0.1.dsc
b19268be6b6f1556b47a9dd834272e167d3a75740cdcd283cf3812edffe3930f 7655652
git_2.47.2.orig.tar.xz
a183a1a1edd7190b6c6836f62a98662d1d2228a8b16ddd8163c29101b4342482 792848
git_2.47.2-0.1.debian.tar.xz
f0200f6b74257197eb8d4c879581e99b3c99da10a98602fdaa613ad150bfb61a 8828
git_2.47.2-0.1_source.buildinfo
Files:
a36ade18cd007ec7842d8e98dce23e1f 2832 vcs optional git_2.47.2-0.1.dsc
0ac16b9a3552f5c0d5fe5f0700ec24d3 7655652 vcs optional git_2.47.2.orig.tar.xz
7524dad3e2a91e23273021b90c0756ad 792848 vcs optional
git_2.47.2-0.1.debian.tar.xz
9dd4397854ab60285f865f9cbeb5b30e 8828 vcs optional
git_2.47.2-0.1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmeMt6pfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EeZ8P/0T19iGVl2WlhvwwFpvsd/JfNB4bqcOT
oYjffsz9aesk8+cYriHOxuROdTihUFjMNBqrqAiMYs6lYAxxQLbrmBVH4mHr3g/m
N+qudmGXXpNHnW7ZUTgwWfWWw9WRkU4jSFCB2j09IwvWbclC7+6D6rBwJedfmHPL
xjdXjlyYdF3rP4dMJK8JSmvSKCyyREVRWPao1XiyeZBHWYQ+zhRXa0e7nST/KcXC
YtX/NKydSd4k070Xb3VikvmXn0D9SPgVukeKcQDDwdBe3SC6B/h0RUzY26jR4zV3
xiT1ruMlFEfx3wA4jf6jKPtqdkPQp11T0V4WLkXTSrHtunz8hYtTNm3hbpW8Nl9i
i6MJb4b+RixF7rDSJsp+Fxmsxdq1pTGbVfZ+AaxS5zMq7r8ogjn7evML1+P6WVHJ
k8AzRWbdFA2jnkvaYg20wUf/U52HD3ZDHc5jksepuUsj8FTLyf851dC0ZE6VBtSN
golxKTugAGw9vicsjAoNi9IoUPUSh2Vc8ekMyfhElw82F1Es8oPVN30kc4CKj7qQ
xukczDXKiI13kb8XbHZ3YtxBB+89pt47uNH9v51+U9biGZBmCvoCqG9h2CRdEU2z
fHj6MwyO+jP5wRdmhbijy+J3rNC/kzJwEEbuHLuqH2p4u5Blwd3FuW1RoJyNXgzP
T+1eqpAgoq0Y
=i3er
-----END PGP SIGNATURE-----
pgp7U3YxSzTHy.pgp
Description: PGP signature
--- End Message ---
