From: Junio C Hamano <gitster@pobox.com>
To: git@vger.kernel.org
Cc: Linux Kernel <linux-kernel@vger.kernel.org>,
git-packagers@googlegroups.com
Subject: [ANNOUNCE] Git v2.35.2 and below for CVE-2022-24765
Date: Tue, 12 Apr 2022 10:01:21 -0700 [thread overview]
Message-ID: <xmqqv8veb5i6.fsf@gitster.g> (raw)
The latest maintenance release Git v2.35.2, together with releases
for older maintenance tracks v2.30.3, v2.31.2, v2.32.1, v2.33.2, and
v2.34.2, are now available at the usual places.
These maintenance releases are to address the security issues
described in CVE-2022-24765. Please update at your earliest
opportunity.
The tarballs are found at:
https://www.kernel.org/pub/software/scm/git/
The following public repositories all have a copy of the 'v2.35.2',
'v2.34.2', 'v2.33.2', 'v2.32.1', 'v2.31.2', and 'v2.30.3' tags.
url = https://git.kernel.org/pub/scm/git/git
url = https://kernel.googlesource.com/pub/scm/git/git
url = https://github.com/gitster/git
CVE-2022-24765:
On multi-user machines, Git users might find themselves
unexpectedly in a Git worktree, e.g. when another user created a
repository in `C:\.git`, in a mounted network drive or in a
scratch space. Merely having a Git-aware prompt that runs `git
status` (or `git diff`) and navigating to a directory which is
supposedly not a Git worktree, or opening such a directory in an
editor or IDE such as VS Code or Atom, will potentially run
commands defined by that other user.
Credit for finding this vulnerability goes to 俞晨东; the fix was
authored by Johannes Schindelin.
next reply other threads:[~2022-04-12 17:01 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-12 17:01 Junio C Hamano [this message]
2022-04-12 18:05 ` [ANNOUNCE] Git v2.35.2 and below for CVE-2022-24765 SZEDER Gábor
2022-04-14 0:22 ` [ANNOUNCE] Git v2.35.3 and below as a usability fix Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqv8veb5i6.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=git-packagers@googlegroups.com \
--cc=git@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).