Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 10 Jan 2017 11:31:37 +0100
From: Andreas Stieger <>
Subject: CVE Request: two security fixes in libgit2 0.25.1, 0.24.6


libgit2 released:

with the following two fixes:

[...] performs extra sanitization for some edge cases in the Git Smart
Protocol which can lead to attempting to parse outside of the buffer.

[...] fix affects the certificate check callback. It provides a valid
parameter to indicate whether the native cryptographic library
considered the certificate to be correct. This parameter is always
1/true before this fix leading to a possible MITM.

This does not affect you if you do not use the custom certificate
callback or if you do not take this value into account. This does affect
you if you use pygit2 or git2go regardless of whether you specify a
certificate check callback.

Could CVEs please be assigned?




Andreas Stieger <>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imend├Ârffer, Jane Smithard, Graham Norton,
HRB 21284 (AG N├╝rnberg)

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.