27571 – git-lfs new security issue CVE-2020-27955

Bug 27571 - git-lfs new security issue CVE-2020-27955

Summary: git-lfs new security issue CVE-2020-27955

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	Cauldron
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Guillaume Rousse
QA Contact:	Sec team

URL:
Whiteboard:
Keywords:	Triaged

Depends on:
Blocks:

Reported:	2020-11-06 00:59 CET by David Walser
Modified:	2020-11-10 20:10 CET (History)
CC List:	0 users

See Also:
Source RPM:	git-lfs-2.12.0-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-11-06 00:59:53 CET

A security issue in git-lfs has been announced on November 4:
https://www.openwall.com/lists/oss-security/2020/11/05/1

There doesn't appear to be a fix available yet.

Mageia 7 is also affected.

Comment 1 Aurelien Oudelet 2020-11-07 10:17:24 CET

Hi, thanks for reporting this.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

Keywords: (none) => Triaged
Assignee: bugsquad => guillomovitch

Comment 2 Guillaume Rousse 2020-11-10 19:25:56 CET

According to the git-lfs advisory, this is a windows-only issue:
https://github.com/git-lfs/git-lfs/security/advisories/GHSA-4g4p-42wc-9f3m

And this is consistent with original announcement:
Basically the whole Windows dev world which uses git.

Update on its way fro cauldron, but that's not worth an update for mageia 7.

Comment 3 David Walser 2020-11-10 20:10:01 CET

Fixed in git-lfs-2.12.1.mga8.  Thanks.

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.