Your message dated Wed, 30 Jul 2025 23:35:06 +0000
with message-id <[email protected]>
and subject line Bug#1108983: fixed in git 1:2.50.1-0.1
has caused the Debian Bug report #1108983,
regarding git: CVE-2025-27613 CVE-2025-27614 CVE-2025-46835 CVE-2025-48384
CVE-2025-48385 CVE-2025-48386
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1108983: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108983
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: git
Version: 1:2.50.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
The following vulnerabilities were published for git.
CVE-2025-27613[0], CVE-2025-27614[1], CVE-2025-46835[2],
CVE-2025-48384[3], CVE-2025-48385[4] and CVE-2025-48386[5].
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-27613
https://www.cve.org/CVERecord?id=CVE-2025-27613
[1] https://security-tracker.debian.org/tracker/CVE-2025-27614
https://www.cve.org/CVERecord?id=CVE-2025-27614
[2] https://security-tracker.debian.org/tracker/CVE-2025-46835
https://www.cve.org/CVERecord?id=CVE-2025-46835
[3] https://security-tracker.debian.org/tracker/CVE-2025-48384
https://www.cve.org/CVERecord?id=CVE-2025-48384
[4] https://security-tracker.debian.org/tracker/CVE-2025-48385
https://www.cve.org/CVERecord?id=CVE-2025-48385
[5] https://security-tracker.debian.org/tracker/CVE-2025-48386
https://www.cve.org/CVERecord?id=CVE-2025-48386
[6] https://lore.kernel.org/git/[email protected]/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: git
Source-Version: 1:2.50.1-0.1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
git, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated git package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 29 Jul 2025 20:54:28 +0300
Source: git
Architecture: source
Version: 1:2.50.1-0.1
Distribution: unstable
Urgency: medium
Maintainer: Jonathan Nieder <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1108983
Changes:
git (1:2.50.1-0.1) unstable; urgency=medium
.
* Non-maintainer upload.
* New upstream release.
- CVE-2025-27613: gitk: file creation/truncation after cloning
untrusted repository
- CVE-2025-27614: gitk: user can be tricked into running any
script after cloning untrusted repository
- CVE-2025-46835: git-gui: file creation/overwriting after
cloning untrusted repository
- CVE-2025-48384: script execution after cloning untrusted
repository
- CVE-2025-48385: protocol injection when fetching
- Closes: #1108983
Checksums-Sha1:
b505838c95886bd3a4afe258830291a4225a565a 2676 git_2.50.1-0.1.dsc
54416ce0aee97292caaf89ec8fb313c1ea825c2f 7880972 git_2.50.1.orig.tar.xz
008af8c413400e3837805fdb4d2987d1c34fac84 811604 git_2.50.1-0.1.debian.tar.xz
Checksums-Sha256:
924b0830bb42a17e36770fbff890a56ce990e3e55eab1672e0823669c4ce35e8 2676
git_2.50.1-0.1.dsc
7e3e6c36decbd8f1eedd14d42db6674be03671c2204864befa2a41756c5c8fc4 7880972
git_2.50.1.orig.tar.xz
66bd1e928719ce7c84c5eaee180c90da41df0e7c42ffb1c4a150319b501b3a1b 811604
git_2.50.1-0.1.debian.tar.xz
Files:
9ea8eb4ac51608880884f2679124eafb 2676 vcs optional git_2.50.1-0.1.dsc
2cb96fae126d66f8ff23a68f8dd5d748 7880972 vcs optional git_2.50.1.orig.tar.xz
8a5c90661d193c6ba35b0cd41b8e9a81 811604 vcs optional
git_2.50.1-0.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmiJUxEACgkQiNJCh6LY
mLHl+g/+MIoeTTJd2wq2hDXjV/ya11VD7+tP3JKJu7J1K+VDxKMtd7jMt9zFEeTP
yvnJJhkztWedoMXvwdHSU16OyjkPMCb9g8siPsvuFeL+DFRaHzaaqccXsF58egQR
Em4qV2UTxNihtyPELThD0heMySv9PqYXgT2DRHBf8AYZIF49n/shOqwWg93VJrPs
IeWP/HwkxWiZILcgUxdvUHzUM72wPJHdeHVJ3bYpP4dGSWtRgAWO1a/5y/rKiLv+
IPcJWN6vwFairrz80XJ+JpDs7Nd6WRSC/QgaAuBEvG6W0CNJ4exBDBrbOZ1rSuvq
5f/Cirn/83Hvyg+WnbaxIzULhG6hMLP8s8qWy6hXyGPDRK62zQhStRwMfb5jbKl5
X/4fbBU2Wtbrvkf9YEVmmrnL0+STxNOMAHDRXesKvmIsHh6Gm9hsEr13YPKhHBKM
RZBJbZXUdJwbXCKlyfc5XQc9AwM42BDZ+dvDGNbi/C/Y1Cnah6i+ZlBKY5ARousW
dmnNRsNg7pKgpAW+LHQ+faJJ0O9cpgmd8o7G3ALWxktzrENTUmLiBP45uuGJJm/7
VjebNCGhC+zXqwPwSfWnYAy2/qESEVZ2vn0JOPBBnA2Y6sdQg3bAkr7suwvLUnpu
TGv701LZeFYqElFXilTxa73YIXt80wKsmiMZAC2AD2ID6ZXw1I4=
=BpgQ
-----END PGP SIGNATURE-----
pgpHVExgEc4pB.pgp
Description: PGP signature
--- End Message ---
