Security issues fixed upstream in Git have been announced today (December 13):
The issues are fixed in 2.21.1.
The other CVEs in the announcement only affect Windows.
Stig has just updated Cauldron to version 2.24.1.
May I assign this to you? [Complain privately if not, I am not CC'd]
Nicolas is working on it.
The updated packages fix security vulnerabilities:
The --export-marks option of git fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths. (CVE-2019-1348)
When submodules are cloned recursively, under certain circumstances Git could be fooled into using the same Git directory twice. We now require the directory to be empty. (CVE-2019-1349)
Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones. (CVE-2019-1387)
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository. (CVE-2019-19604)
Updated packages in core/updates_testing:
CVE-2019-1348, CVE-2019-1349, CVE-2019-1387, CVE-2019-19604
Debian and Ubuntu have issued advisories for this on December 10:
Installed and tested without issues.
Tested using existing, cloned and newly created repositories. Most operations were tested. No issues found.
System: Mageia 7, x86_64, Intel CPU.
$ uname -a
Linux marte 5.4.2-desktop-1.mga7 #1 SMP Thu Dec 5 17:40:00 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep -i git.*2\.21\.1 | sort
An update for this issue has been pushed to the Mageia Updates repository.