Hello, Upstream's patches for these CVEs involve making it a lot fiddlier to use shared repositories where write access is managed using Unix permissions, rather than by using SSH identities. And indeed someone has reported a case of this a few days ago: <https://lore.kernel.org/git/924426.1716570...@dash.ant.isi.edu/T/#u>.
I think that this regression would be significant enough in an LTS context -- it's an older way of doing git repository hosting -- that we should leave these two CVEs unpatched for now. I also note: the commit message for the fix for CVE-2024-32465 says that it renders the fix for CVE-2024-32004 "somewhat redundant". My understanding of the situation is that the fix for CVE-2024-32465 does fix the issue strictly designated by CVE-2024-32004, and without the sort of usability regression linked above. Could someone review this assessment, please? -- Sean Whitton
signature.asc
Description: PGP signature
