git-2.39.2-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:12698-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z git-2.39.2-1.1 on GA media These are all security issues fixed in the git-2.39.2-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-12698 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2023-22490/ SUSE CVE CVE-2023-22490 page https://www.suse.com/security/cve/CVE-2023-23946/ SUSE CVE CVE-2023-23946 page openSUSE Tumbleweed git-2.39.2-1.1 git-arch-2.39.2-1.1 git-core-2.39.2-1.1 git-credential-gnome-keyring-2.39.2-1.1 git-credential-libsecret-2.39.2-1.1 git-cvs-2.39.2-1.1 git-daemon-2.39.2-1.1 git-doc-2.39.2-1.1 git-email-2.39.2-1.1 git-gui-2.39.2-1.1 git-p4-2.39.2-1.1 git-svn-2.39.2-1.1 git-web-2.39.2-1.1 gitk-2.39.2-1.1 perl-Git-2.39.2-1.1 git-2.39.2-1.1 as a component of openSUSE Tumbleweed git-arch-2.39.2-1.1 as a component of openSUSE Tumbleweed git-core-2.39.2-1.1 as a component of openSUSE Tumbleweed git-credential-gnome-keyring-2.39.2-1.1 as a component of openSUSE Tumbleweed git-credential-libsecret-2.39.2-1.1 as a component of openSUSE Tumbleweed git-cvs-2.39.2-1.1 as a component of openSUSE Tumbleweed git-daemon-2.39.2-1.1 as a component of openSUSE Tumbleweed git-doc-2.39.2-1.1 as a component of openSUSE Tumbleweed git-email-2.39.2-1.1 as a component of openSUSE Tumbleweed git-gui-2.39.2-1.1 as a component of openSUSE Tumbleweed git-p4-2.39.2-1.1 as a component of openSUSE Tumbleweed git-svn-2.39.2-1.1 as a component of openSUSE Tumbleweed git-web-2.39.2-1.1 as a component of openSUSE Tumbleweed gitk-2.39.2-1.1 as a component of openSUSE Tumbleweed perl-Git-2.39.2-1.1 as a component of openSUSE Tumbleweed Git is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8 can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source `$GIT_DIR/objects` directory contains symbolic links, the `objects` directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253. A fix has been prepared and will appear in v2.39.2 v2.38.4 v2.37.6 v2.36.5 v2.35.7 v2.34.7 v2.33.7 v2.32.6, v2.31.7 and v2.30.8. If upgrading is impractical, two short-term workarounds are available. Avoid cloning repositories from untrusted sources with `--recurse-submodules`. Instead, consider cloning repositories without recursively cloning their submodules, and instead run `git submodule update` at each layer. Before doing so, inspect each new `.gitmodules` file to ensure that it does not contain suspicious module URLs. CVE-2023-22490 openSUSE Tumbleweed:git-2.39.2-1.1 openSUSE Tumbleweed:git-arch-2.39.2-1.1 openSUSE Tumbleweed:git-core-2.39.2-1.1 openSUSE Tumbleweed:git-credential-gnome-keyring-2.39.2-1.1 openSUSE Tumbleweed:git-credential-libsecret-2.39.2-1.1 openSUSE Tumbleweed:git-cvs-2.39.2-1.1 openSUSE Tumbleweed:git-daemon-2.39.2-1.1 openSUSE Tumbleweed:git-doc-2.39.2-1.1 openSUSE Tumbleweed:git-email-2.39.2-1.1 openSUSE Tumbleweed:git-gui-2.39.2-1.1 openSUSE Tumbleweed:git-p4-2.39.2-1.1 openSUSE Tumbleweed:git-svn-2.39.2-1.1 openSUSE Tumbleweed:git-web-2.39.2-1.1 openSUSE Tumbleweed:gitk-2.39.2-1.1 openSUSE Tumbleweed:perl-Git-2.39.2-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-22490.html CVE-2023-22490 https://bugzilla.suse.com/1208027 SUSE Bug 1208027 Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to `git apply`, a path outside the working tree can be overwritten as the user who is running `git apply`. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use `git apply --stat` to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link. CVE-2023-23946 openSUSE Tumbleweed:git-2.39.2-1.1 openSUSE Tumbleweed:git-arch-2.39.2-1.1 openSUSE Tumbleweed:git-core-2.39.2-1.1 openSUSE Tumbleweed:git-credential-gnome-keyring-2.39.2-1.1 openSUSE Tumbleweed:git-credential-libsecret-2.39.2-1.1 openSUSE Tumbleweed:git-cvs-2.39.2-1.1 openSUSE Tumbleweed:git-daemon-2.39.2-1.1 openSUSE Tumbleweed:git-doc-2.39.2-1.1 openSUSE Tumbleweed:git-email-2.39.2-1.1 openSUSE Tumbleweed:git-gui-2.39.2-1.1 openSUSE Tumbleweed:git-p4-2.39.2-1.1 openSUSE Tumbleweed:git-svn-2.39.2-1.1 openSUSE Tumbleweed:git-web-2.39.2-1.1 openSUSE Tumbleweed:gitk-2.39.2-1.1 openSUSE Tumbleweed:perl-Git-2.39.2-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-23946.html CVE-2023-23946 https://bugzilla.suse.com/1208028 SUSE Bug 1208028