Upstream has announced a security issue in git today (March 9): https://lkml.org/lkml/2021/3/9/995 The issue is fixed upstream in 2.21.4 and 2.30.2. Mageia 7 and Mageia 8 are also affected.
Whiteboard: (none) => MGA8TOO, MGA7TOOStatus comment: (none) => Fixed upstream in 2.21.4 and 2.30.2
Fixed in caudron mga 7/8 src:
CC: (none) => mageia
Fixed in caudron mga 7/8 src: - git-2.21.4-1.mga7 - git-2.30.2-1.mga8
Status comment: Fixed upstream in 2.21.4 and 2.30.2 => (none)Version: Cauldron => 8Whiteboard: MGA8TOO, MGA7TOO => MGA7TOOAssignee: bugsquad => qa-bugs
Quick work! It will need the advisory.
Advisory: ======================== Updated git packages fix security vulnerability: On case-insensitive file systems with support for symbolic links, if Git is configured globally to apply delay-capable clean/smudge filters (such as Git LFS), Git could be fooled into running remote code during a clone (CVE-2021-21300). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21300 https://lkml.org/lkml/2021/3/9/995 ======================== Updated packages in core/updates_testing: ======================== git-2.21.4-1.mga7 git-core-2.21.4-1.mga7 gitk-2.21.4-1.mga7 libgit-devel-2.21.4-1.mga7 git-subtree-2.21.4-1.mga7 git-svn-2.21.4-1.mga7 git-cvs-2.21.4-1.mga7 git-arch-2.21.4-1.mga7 git-email-2.21.4-1.mga7 perl-Git-2.21.4-1.mga7 perl-Git-SVN-2.21.4-1.mga7 git-core-oldies-2.21.4-1.mga7 gitweb-2.21.4-1.mga7 git-prompt-2.21.4-1.mga7 git-2.30.2-1.mga8 git-core-oldies-2.30.2-1.mga8 git-core-2.30.2-1.mga8 libgit-devel-2.30.2-1.mga8 gitk-2.30.2-1.mga8 gitweb-2.30.2-1.mga8 git-cvs-2.30.2-1.mga8 git-subtree-2.30.2-1.mga8 perl-Git-SVN-2.30.2-1.mga8 git-svn-2.30.2-1.mga8 git-email-2.30.2-1.mga8 perl-Git-2.30.2-1.mga8 git-arch-2.30.2-1.mga8 git-prompt-2.30.2-1.mga8 from SRPMS: git-2.21.4-1.mga7.src.rpm git-2.30.2-1.mga8.src.rpm
Whiteboard: MGA7TOO => MGA7TOO, MGA8-64-OK
running mga7 x86_64 packages on Mageia infra with no issues so far...
Whiteboard: MGA7TOO, MGA8-64-OK => MGA7TOO, MGA8-64-OK, MGA7-64-OK
Good enough for me. Validating. Advisory in Comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Same for me on Mageia 8 x86_64. Advisory committed to SVN.
CC: (none) => ouaurelienCVE: (none) => CVE-2021-21300Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0137.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
Ubuntu has issued an advisory for this on March 9: https://ubuntu.com/security/notices/USN-4761-1