From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 3259A158042 for ; Wed, 6 Nov 2024 14:17:20 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E5132E0C8E; Wed, 6 Nov 2024 14:16:50 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id B8927E0C4B for ; Wed, 6 Nov 2024 14:16:35 +0000 (UTC) Received: from glsamakerdev.dev.gentoo.org (unknown [140.211.166.178]) by smtp.gentoo.org (Postfix) with ESMTP id 2DBD1335DC7 for ; Wed, 6 Nov 2024 14:16:35 +0000 (UTC) Received: from [172.18.0.3] (unknown [172.18.0.3]) by glsamakerdev.dev.gentoo.org (Postfix) with ESMTP id 12068C76C0 for ; Wed, 6 Nov 2024 14:16:35 +0000 (UTC) Subject: [gentoo-announce] [ GLSA 202411-05 ] libgit2: Multiple Vulnerabilities Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="===============8686149362134967530==" From: glsamaker@gentoo.org To: gentoo-announce@lists.gentoo.org Reply-To: security@gentoo.org Date: Wed, 06 Nov 2024 14:16:34 -0000 Message-ID: <173090259505.7.926255962728699645@3f85d36892cf> X-Archives-Salt: e90116bd-4eee-48e4-b1e1-cd6f2bad9bcd X-Archives-Hash: c7c78644bd1b46691b776b3a14500ec4 --===============8686149362134967530== Content-Type: text/plain; charset="utf-8" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202411-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: libgit2: Multiple Vulnerabilities Date: November 06, 2024 Bugs: #891525, #923971 ID: 202411-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been discovered in libgit2, the worst of which could lead to arbitrary code execution. Background ========== libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API, allowing you to write native speed custom Git applications in any language that supports C bindings. Affected packages ================= Package Vulnerable Unaffected ---------------- ------------ ------------ dev-libs/libgit2 < 1.7.2 >= 1.7.2 Description =========== Multiple vulnerabilities have been discovered in libgit2. Please review the CVE identifiers referenced below for details. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All libgit2 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/libgit2-1.7.2" References ========== [ 1 ] CVE-2023-22742 https://nvd.nist.gov/vuln/detail/CVE-2023-22742 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202411-05 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 --===============8686149362134967530== Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmcrekIACgkQFMQkOaVy +9lANRAAsmKXr4gUqVwWImtk0f7QH8+R1EwjGLn2Q1GLN1bePZU1uxpkGYZMJFOf MNLUmi3BsFvBXvcP3dSQxBdFFFWkEE8pwAQ58BY4+57P2Dp1Gik+tq8p7tOvJk8x l3LbY4CjEyW6iD1gLZl6cXG/6VDwy0RBq4ZyItswiq7s1orHHM34wW4zmtoce+RQ pjuOTXcb+fbwxf1P7M/LAj7t7vO2ZO4+mYnsxrPT3MZqnYTzuIhiiPx40V63jEfG PGUmY/v/bOHIRHAfOWZ0xwCoHHQvs8MSmp1BPq2qIOWdt5BA1VORKsEIK9tbJ6LN lsQe+vK7yvpZCH5y40S4cr0BmBGr1KlTetv+L9m+tRvfP+cR832IC2DikdjwQBuq bFfLIpIH5oY66MuY4UkPLE6OyDRJrF8w/BWkJ+GLATrLYmbXV166wdTMx+DQ9lLy IVfWfk0FK54NZ9pCK7pwYRAXBTk9XGE/gngfXxRSAs79GIxtFjbQ1g9xTHQb8Z9Y yAUNlYFAdAjW8dWvFfXJ2xLa4KymAgQlxSNI5YwKkRFRGjEEX3d8bVfAwWu0ZSUM n1ZZnSBaUkRsME4OWBG7DIsdjtsRDIcIa39yChKN9VpYTh6CeosOVAvXGT3jKpBw RGZD9tYvvxvbbsAKtLnozKDs1wRNH/98QD92wGmBcbmEENanpP8= =81NT -----END PGP SIGNATURE----- --===============8686149362134967530==--