Bug 27571

Summary: git-lfs new security issue CVE-2020-27955
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Guillaume Rousse <guillomovitch>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal Keywords: Triaged
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: git-lfs-2.12.0-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2020-11-06 00:59:53 CET 
A security issue in git-lfs has been announced on November 4:
https://www.openwall.com/lists/oss-security/2020/11/05/1

There doesn't appear to be a fix available yet.

Mageia 7 is also affected.
Comment 1 Aurelien Oudelet 2020-11-07 10:17:24 CET 
Hi, thanks for reporting this.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

Keywords: (none) => Triaged
Assignee: bugsquad => guillomovitch

Comment 2 Guillaume Rousse 2020-11-10 19:25:56 CET 
According to the git-lfs advisory, this is a windows-only issue:
https://github.com/git-lfs/git-lfs/security/advisories/GHSA-4g4p-42wc-9f3m

And this is consistent with original announcement:
Basically the whole Windows dev world which uses git.

Update on its way fro cauldron, but that's not worth an update for mageia 7.
Comment 3 David Walser 2020-11-10 20:10:01 CET 
Fixed in git-lfs-2.12.1.mga8.  Thanks.

Resolution: (none) => FIXED
Status: NEW => RESOLVED