Hi fellow LTS and ELTS developers I started to look at git for bullseye. It has one vulnerability in CVE-2024-32020. You can read about the vulnerability here: https://security-tracker.debian.org/tracker/CVE-2024-32020
For Debian Stable it has been fixed together with a lot of other changes in the scope of DSA-5769-1. However when you read what the fix is, it is obvious that this is not a perfectly safe fix, from a regression point of view. Please read more here: https://lore.kernel.org/git/924426.1716570...@dash.ant.isi.edu/T/#u The fix is to simply refuse to clone local repositories if the current user is not the owner. This means that two people both working on a local repo cannot clone from each other for example. At least that is how I interpret the regression email and the code. I think that for remote repos with https access this is not an issue because it is owned by one single user. But for ssh access I'm not entirely sure how this would work. For local repos this is definitely a regression. There is a workaround to use the safe.directory option, but there were concerns about that as well. Apparently this was considered safe enough for Debian stable, indicating that we should do the same for LTS and ELTS. But before applying this fix and uploading I would like to check with you that you do not think this is a problem. It is a known possible regression and I do not want to break things unless you are with me. :-) For ELTS this is postponed. There is no entry in ela-needed.txt so I guess we should wait with that one, or do you think I should fix both LTS and ELTS in that case? Thank you for the feedback in advance. Cheers // Ola -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
