Bug 27571 - git-lfs new security issue CVE-2020-27955
Summary: git-lfs new security issue CVE-2020-27955
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Guillaume Rousse
QA Contact: Sec team
URL:
Whiteboard:
Keywords: Triaged
Depends on:
Blocks:
 
Reported: 2020-11-06 00:59 CET by David Walser
Modified: 2020-11-10 20:10 CET (History)
0 users

See Also:
Source RPM: git-lfs-2.12.0-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-11-06 00:59:53 CET
A security issue in git-lfs has been announced on November 4:
https://www.openwall.com/lists/oss-security/2020/11/05/1

There doesn't appear to be a fix available yet.

Mageia 7 is also affected.
Comment 1 Aurelien Oudelet 2020-11-07 10:17:24 CET
Hi, thanks for reporting this.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

Keywords: (none) => Triaged
Assignee: bugsquad => guillomovitch

Comment 2 Guillaume Rousse 2020-11-10 19:25:56 CET
According to the git-lfs advisory, this is a windows-only issue:
https://github.com/git-lfs/git-lfs/security/advisories/GHSA-4g4p-42wc-9f3m

And this is consistent with original announcement:
Basically the whole Windows dev world which uses git.

Update on its way fro cauldron, but that's not worth an update for mageia 7.
Comment 3 David Walser 2020-11-10 20:10:01 CET
Fixed in git-lfs-2.12.1.mga8.  Thanks.

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.