Hi Leoš,
On Fri, May 05, 2023 at 01:48:29PM +0000, Leoš Sokolowski wrote:
> Hi,
>
> I'd like to ask if there's any update on the git-vulnerability
> CVE-2018-100002. According to the description on both the tracker and the NVD
> it has been fixed since Version 2.15.1, but the security trackers of both
> Debian and Ubuntu still list it as vulnerable on all Versions, up to
> 1:2.40.1-1. I'm pretty sure that's wrong. Is that a problem that has been
> kept in the application for legacy-reasons or something that has been fixed
> upstream, copied, but not marked as fixed in the tracker? The last update on
> the linked bug-report (889680) is from 2018 and appears to be spam.
The CVE description says the issue is _in_ 2.15.1, not that it's fixed. If you
have any confirmations
about this being addressed (changelogs/commits etc), please let us know and
we're happy to review it.
Cheers,
Moritz
