Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 13 Jul 2022 17:13:18 -0700
From: Junio C Hamano <junio@...ox.com>
To: oss-security@...ts.openwall.com
cc: git-security@...glegroups.com,
    ycdxsb <ycdxsb@...il.com>, Carlo Marcelo Arenas Belón
 <carenas@...il.com>,
    Johannes Schindelin <johannes.schindelin@....de>
Subject: Git v2.37.1 and friends for CVE-2022-29187

The Git project released new versions on July 12th, 2022, addressing
CVE-2022-29187.  We highly recommend to upgrade to one of these fixed
versions:

  v2.30.5 v2.31.4 v2.32.3 v2.33.4 v2.34.4 v2.35.4 v2.36.2 v2.37.1

If you are on the unreleased development track, the same fix is
already included, so you do not have to do anything.

https://lore.kernel.org/git/xmqqv8s2fefi.fsf@gitster.g/


This fix contained in these releases are minor updates for the
changes that went into Git 2.30.3 and 2.30.4, addressing
CVE-2022-29187.

 * The safety check that verifies a safe ownership of the Git
   worktree is now extended to also cover the ownership of the Git
   directory (and the `.git` file, if there is any).

Credit for finding and fixing the problem goes to Carlo Marcelo
Arenas Belón and Johannes Schindelin.

Thanks.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.