Server IP : 85.214.239.14 / Your IP : 3.149.29.190 Web Server : Apache/2.4.62 (Debian) System : Linux h2886529.stratoserver.net 4.9.0 #1 SMP Tue Jan 9 19:45:01 MSK 2024 x86_64 User : www-data ( 33) PHP Version : 7.4.18 Disable Function : pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare, MySQL : OFF | cURL : OFF | WGET : ON | Perl : ON | Python : ON | Sudo : ON | Pkexec : OFF Directory : /proc/2/cwd/proc/2/root/proc/2/root/proc/3/cwd/usr/share/doc/git/RelNotes/ |
Upload File : |
Git v2.30.8 Release Notes ========================= This release addresses the security issues CVE-2023-22490 and CVE-2023-23946. Fixes since v2.30.7 ------------------- * CVE-2023-22490: Using a specially-crafted repository, Git can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source $GIT_DIR/objects directory contains symbolic links (c.f., CVE-2022-39253), the objects directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253. * CVE-2023-23946: By feeding a crafted input to "git apply", a path outside the working tree can be overwritten as the user who is running "git apply". * A mismatched type in `attr.c::read_attr_from_index()` which could cause Git to errantly reject attributes on Windows and 32-bit Linux has been corrected. Credit for finding CVE-2023-22490 goes to yvvdwf, and the fix was developed by Taylor Blau, with additional help from others on the Git security mailing list. Credit for finding CVE-2023-23946 goes to Joern Schneeweisz, and the fix was developed by Patrick Steinhardt. Johannes Schindelin (1): attr: adjust a mismatched data type Patrick Steinhardt (1): apply: fix writing behind newly created symbolic links Taylor Blau (3): t5619: demonstrate clone_local() with ambiguous transport clone: delay picking a transport until after get_repo_path() dir-iterator: prevent top-level symlinks without FOLLOW_SYMLINKS