From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id ACF09158015 for ; Wed, 27 Dec 2023 07:50:43 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D2D622BC033; Wed, 27 Dec 2023 07:50:11 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id EB1AD2BC019 for ; Wed, 27 Dec 2023 07:49:13 +0000 (UTC) Received: from glsamakerdev.dev.gentoo.org (unknown [140.211.166.165]) by smtp.gentoo.org (Postfix) with ESMTP id 01421335C34 for ; Wed, 27 Dec 2023 07:49:13 +0000 (UTC) Received: from [172.18.0.3] (unknown [172.18.0.3]) by glsamakerdev.dev.gentoo.org (Postfix) with ESMTP id A2E8D8C754 for ; Wed, 27 Dec 2023 07:49:12 +0000 (UTC) Subject: [gentoo-announce] [ GLSA 202312-15 ] Git: Multiple Vulnerabilities Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="===============8202023991581674740==" From: glsamaker@gentoo.org To: gentoo-announce@lists.gentoo.org Reply-To: security@gentoo.org Date: Wed, 27 Dec 2023 07:49:12 -0000 Message-ID: <170366335266.7.17033161568450195060@4a99fbfff9eb> X-Archives-Salt: 95587742-ab5e-4823-ac85-efa20b8cab5c X-Archives-Hash: d847c17f7570189456f6a4e0dce6af90 --===============8202023991581674740== Content-Type: text/plain; charset="utf-8" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202312-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Git: Multiple Vulnerabilities Date: December 27, 2023 Bugs: #838127, #857831, #877565, #891221, #894472, #905088 ID: 202312-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Several vulnerabilities have been found in Git, the worst of which could lead to remote code execution. Background ========== Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency. Affected packages ================= Package Vulnerable Unaffected ----------- ------------ ------------ dev-vcs/git < 2.39.3 >= 2.39.3 Description =========== Multiple vulnerabilities have been discovered in Git. Please review the CVE identifiers referenced below for details. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Git users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-vcs/git-2.39.3" References ========== [ 1 ] CVE-2022-23521 https://nvd.nist.gov/vuln/detail/CVE-2022-23521 [ 2 ] CVE-2022-24765 https://nvd.nist.gov/vuln/detail/CVE-2022-24765 [ 3 ] CVE-2022-29187 https://nvd.nist.gov/vuln/detail/CVE-2022-29187 [ 4 ] CVE-2022-39253 https://nvd.nist.gov/vuln/detail/CVE-2022-39253 [ 5 ] CVE-2022-39260 https://nvd.nist.gov/vuln/detail/CVE-2022-39260 [ 6 ] CVE-2022-41903 https://nvd.nist.gov/vuln/detail/CVE-2022-41903 [ 7 ] CVE-2023-22490 https://nvd.nist.gov/vuln/detail/CVE-2023-22490 [ 8 ] CVE-2023-23946 https://nvd.nist.gov/vuln/detail/CVE-2023-23946 [ 9 ] CVE-2023-25652 https://nvd.nist.gov/vuln/detail/CVE-2023-25652 [ 10 ] CVE-2023-25815 https://nvd.nist.gov/vuln/detail/CVE-2023-25815 [ 11 ] CVE-2023-29007 https://nvd.nist.gov/vuln/detail/CVE-2023-29007 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202312-15 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2023 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 --===============8202023991581674740== Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmWL1vgACgkQFMQkOaVy +9nMYRAAzpFI6JLRxirvcpuw9af09jI2LajQ67Ivd6EAl6vb6/0obZXv7Wl2adY3 HSxZLbeLY+6FDA8hu0Vov+8uc8RK9r7lH/XbGl9Q6vHi+bzG0AVEhY3cQI5TO33d 2kdawE67yA7EaCvznJmenkdgSbDUKOAP4cWneZSNcs3y4Rt2NAlwxA/45BSQjqGT 3XitzBYKejwenlTfaikfQfRhHb6meQ7NNaxoutoReogaqAvm+kurlpgGKJqMOq12 lDmBCJ7e14pZE8NRGTHseOGLcKqwtgp8OqxD4RcmGAZh2WVZro6QA49PRPk99A3Z 6IrfJtf8EEjoGVwMVjxO7RD02R02OUNmSxf2L1NiERARXhOpywMsC+r5h9ylkBpF QqpgTklRHbGM/JbzrDfEF5h499eLeILMngk6ARcMXnfky8CGd4IYZfkV9ONW5npo XVsCY8pMwo92tY2lQbCZwEM9RncRhnvCD+igzEgHQ9waKuGWlGQp1xe/vboye9iA kTx5Hz/JVUY4FxOzX/j/iviD7hdm/sfDiHW8TxuPfiGjjHNcO0NjG+m7pTUXGQ6D LUD6bGawOYJPYD57GUXLzcnQG3C+Z4Ql6ePXJQipE8aRD+jSEdXQStIHHMLg0/V4 vFGurrqfrUv9FLZMJ3r2i19JCWhvdhtRtzyDoUAmPuPO04N5HdU= =Mmi8 -----END PGP SIGNATURE----- --===============8202023991581674740==--