Back to git PTS page

Accepted git 1:2.20.1-2+deb10u5 (source) into oldstable

To: debian-lts-changes@lists.debian.org, dispatch@tracker.debian.org
Subject: Accepted git 1:2.20.1-2+deb10u5 (source) into oldstable
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Tue, 13 Dec 2022 18:10:22 +0000
Debian: DAK
Debian-architecture: source
Debian-archive-action: accept
Debian-changes: git_2.20.1-2+deb10u5_source.changes
Debian-source: git
Debian-suite: oldstable
Debian-version: 1:2.20.1-2+deb10u5
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.seger; h=Date:Message-Id: Content-Transfer-Encoding:Content-Type:Subject:MIME-Version:To:Reply-To:From: Cc:Content-ID:Content-Description:In-Reply-To:References; bh=J2wEGXZTqh6ZQ3LQWd2DPHm+gmG24jdaWrgKpup4aFI=; b=O/V32Yd/bCE/K0nhzidZec//8Z 7xzgIku8Ydu0urqrTD9lvkyzhK11aWqVeVlo1kD2SZ8uAEDDsroz54Y7qcpXc27u2Bnmov2eW1MlI LBbM6u9n2KW/WcupqpcfB4RkSsQPmSeu9/Ekyq/Jc15keyBneiQIFQd64sCPSDqqksfXgSRiULJSU IrBiB0KO9qiS7Sxmgh5scRW9tvHBz/UqWFcNj8Lbc9a/+OyI4BKX/WBK6o/Z7JfbWnRK+f14ZFL0n UWsHhXuiVWIBoh0xnN7RT5mKe25FBQk5so2EHsQDOY6090471Nb1iALCK8s+KqmN0EU436i+4muT1 uVEYrvwA==;
Mail-followup-to: debian-lts@lists.debian.org
Message-id: <E1p59jS-00FFVn-L5@seger.debian.org>
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 13 Dec 2022 15:14:23 +0100
Source: git
Architecture: source
Version: 1:2.20.1-2+deb10u5
Distribution: buster-security
Urgency: high
Maintainer: Gerrit Pape <pape@smarden.org>
Changed-By: Sylvain Beucler <beuc@debian.org>
Changes:
 git (1:2.20.1-2+deb10u5) buster-security; urgency=high
 .
   * Non-maintainer upload by the LTS Security Team.
   * CVE-2022-24765: Git not checking the ownership of directories in a
     local multi-user system when running commands specified in the local
     repository configuration.  This allows the owner of the repository to
     cause arbitrary commands to be executed by other users who access the
     repository.
   * The above introduces new 'safe.directory' checks which may cause
     regressions: allow opt-out of such checks with 'safe.directory=*'
   * CVE-2022-29187: an unsuspecting user could still be affected by the
     issue reported in CVE-2022-24765, for example when navigating as root
     into a shared tmp directory that is owned by them, but where an
     attacker could create a git repository.
   * CVE-2022-39253: exposure of sensitive information to a malicious
     actor. When performing a local clone (where the source and target of
     the clone are on the same volume), Git copies the contents of the
     source's `$GIT_DIR/objects` directory into the destination by either
     creating hardlinks to the source contents, or copying them (if
     hardlinks are disabled via `--no-hardlinks`). A malicious actor could
     convince a victim to clone a repository with a symbolic link pointing
     at sensitive information on the victim's machine.
   * CVE-2022-39260: `git shell` improperly uses an `int` to represent the
     number of entries in the array, allowing a malicious actor to
     intentionally overflow the return value, leading to arbitrary heap
     writes. Because the resulting array is then passed to `execv()`, it is
     possible to leverage this attack to gain remote code execution on a
     victim machine.
Checksums-Sha1:
 618326d517325bfa21a37917c8b11f1e48f0f55a 2894 git_2.20.1-2+deb10u5.dsc
 c15c18bd96f2611fd0f0ee4eeb543798ae9124dc 676036 git_2.20.1-2+deb10u5.debian.tar.xz
 27c650e2bba038bd90aef295dc21f68aef51ee01 11775 git_2.20.1-2+deb10u5_all.buildinfo
Checksums-Sha256:
 6a8d22b88d0deab73b3da6a23b725788349adb246dcab4fc314bd2c309d63566 2894 git_2.20.1-2+deb10u5.dsc
 0dc9f3fef30893e6678026345881dd07c7933f7f139aa06145e20a7127b50c47 676036 git_2.20.1-2+deb10u5.debian.tar.xz
 0b955aa5c167f4357a86101fa567069b8af9f912b528915390cc3df72b35ac26 11775 git_2.20.1-2+deb10u5_all.buildinfo
Files:
 fa5346bf770a5974210c0f5c61708cf4 2894 vcs optional git_2.20.1-2+deb10u5.dsc
 4cf58e4fbe1beaf593f1751d56c8db4f 676036 vcs optional git_2.20.1-2+deb10u5.debian.tar.xz
 160eb185dce976d6eeff0b098c662bcd 11775 vcs optional git_2.20.1-2+deb10u5_all.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmOYvFYACgkQDTl9HeUl
XjCLtA//Ym5K66oVdw1hiRr1BTbtPqOvO5uwUO2esFFc62CU1u2k0cP2rOCTQPzy
RM6VngJLZsRUPVvj+N5KX8px4mHOWI7Ii32Ke8/2OQ/iJwsjEkz052LfroV2DviD
lDPtQXU8Y0Z6S6HfL1fxuHulavxRLFmeQ5NpQXXngFAx5HVIpYeg71qFJ8l6LGQq
TY8HiYlBxFzzhZEaIjbeJ+jTZeXt6PcKFqJfG4W6kUGpb1zDbvwYYX6jJKBwBwEr
kAUMp/yoj9j5AtnnBHjkocQabBFuILDg4xjOJZEQvzndjBXKNblyZYR1eEnnngcA
Vq0F7Mb1KLOuAyH3wwF34/pEZsxIhVrXJFMC0YM6e7BRI0SX12lpHJ2mpLw8scg+
8v+G2oXEgfV6Ov6GteG4hPFAB+e2g/fRYKQwSkErUZHsJ+uVbveTlW3S4lQTsIFF
MRS/dOxDnBYB2aLplsZuJskhZ6kIxIMXs9sTjainR7vrSur75NzSxs47/1fFo7Mf
mYQXVktMZQE+qrSUjxn74ss/8J2E09z0MD7khMPcR1sS90hTTg4acxJs3Wr/RKxP
LD7mSKZqrA5BIIq1aC3fiPf+KUt1E9ANSmuVXzxtFnaE+Q2LExf2BQrWOdu+FY8C
AG2l+eYIxxNDPXVS4QfrraRiqmEJ0TiQcdZBjNpUzlEQideccbg=
=AoP7
-----END PGP SIGNATURE-----