Hi, On Tue, Jul 23, 2024 at 09:54:14AM +0900, Hideki Yamane wrote: > Hello, > > > LTS > > > > - git > > > > - Released DLA-3844-1 fixing CVE-2023-25652, CVE-2023-25815, > > CVE-2023-29007, CVE-2024-32002, CVE-2024-32004, CVE-2024-32021 and > > CVE-2024-32465, and including a follow-up fix for CVE-2019-1387. > > > > We did not include upstream's fix for CVE-2024-32020 because it was > > decided to be inappropriate in a context of long term support. > > For simple git hosting using 'git init --bare --shared', the fix > > broke pulling and pushing by a different UID, unless the local > > administrator deployed relatively fiddly server-side configuration > > changes. > > > > I was pleased to have identified this issue -- after doing so, I > > found that upstream's fix had already been released elsewhere in the > > free software ecosystem, and that there had been regression reports. > > > > Upstream's fix for CVE-2024-32004 relied on the same change, but > > fortunately the fix for CVE-2024-32465 also fixed CVE-2024-32004. > > Is there any plan to include those fixes to stable, too? > > I'm running Debian stable server on AWS and using Amazon Inspector, > it warns me that some git CVEs are critical, and it is a bit annoying ;)
Yes there is, but the prepared update shows regressions which need to be addressed. Samewise the git version in unstable fixing those issues did not yet migrate to testing: https://tracker.debian.org/pkg/git FWIW, if you have questions about stable you might reach out to the Debian security team via team@s.d.o, as debian-lts list is about Debian LTS discussion, we might miss questions on this list. Hope this helps, Regards, Salvatore
