Upstream has issued an advisory on July 12: https://lore.kernel.org/git/xmqqv8s2fefi.fsf@gitster.g/ The issue is fixed upstream in 2.30.5.
Ubuntu has issued an advisory for this on July 13: https://ubuntu.com/security/notices/USN-5511-1
Fedora has issued an advisory today (July 14): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GPMAKEXKQSXAMPSW4AZSOG6QKNYUL4FD/ It references a fix for git issue CVE-2022-24765 upstream in 1.3.1: https://github.com/libgit2/libgit2/releases/tag/v1.3.1 And as with git itself, there were further fixes for that issue that constituted this CVE-2022-29187, which is fixed in libgit 1.3.2: https://github.com/libgit2/libgit2/releases/tag/v1.3.2
Summary: git new security issue CVE-2022-29187 => git/libgit2 new security issue CVE-2022-29187Status comment: (none) => Fixed upstream in git 2.30.5 and libgit2 1.3.2Source RPM: git-2.30.4-1.mga8.src.rpm => git-2.30.4-1.mga8.src.rpm, libgit2-1.1.0-1.mga8.src.rpm
Assigning to our registered maintainer for libgit2 CC'ing all packagers collectively for git
CC: (none) => marja11, pkg-bugsAssignee: bugsquad => thierry.vignaud
Fedora has issued an advisory for git on July 21: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TRZG5CDUQ27OWTPC5MQOR4UASNXHWEZS/
openSUSE has issued an advisory for libgit2 on September 15: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/O5GNJU7AMN2F6LPU35TXF6SJ5JFFLZUU/
Depends on: (none) => 30985
Seems 30985 is fixed and git 2.30.6 is now available for mga8 I could work on updating libgit2 if Thierry is Ok.
CC: (none) => bruno
Fedora has issued an advisory for libgit2 today (January 27): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DIKWISWUDFT2FAITYIA6372BVLH3OOOC/
Updated git packages have been pushed fixing CVE-2022-29187. Debian-LTS has issued an advisory on February 23: https://www.debian.org/lts/security/2023/dla-3340 It fixes a new issue in libgit2 that is fixed upstream in 1.4.5: https://github.com/libgit2/libgit2/security/advisories/GHSA-8643-3wh5-rmjq Mageia 8 is also affected.
Version: 8 => CauldronStatus comment: Fixed upstream in git 2.30.5 and libgit2 1.3.2 => Fixed upstream in 1.4.5Source RPM: git-2.30.4-1.mga8.src.rpm, libgit2-1.1.0-1.mga8.src.rpm => libgit2-1.1.0-1.mga8.src.rpmWhiteboard: (none) => MGA8TOOSummary: git/libgit2 new security issue CVE-2022-29187 => libgit2 new security issues CVE-2022-29187 and CVE-2023-22742
SUSE has issued an advisory for CVE-2023-22742 on March 24: https://lists.suse.com/pipermail/sle-security-updates/2023-March/014158.html
Mageia 8 EOL. Debian-LTS has issued an advisory for CVE-2024-24577 on February 27: https://lists.debian.org/debian-lts-announce/2024/02/msg00012.html
Status comment: Fixed upstream in 1.4.5 => (none)CVE: (none) => CVE-2023-22742, CVE-2024-24577Summary: libgit2 new security issues CVE-2022-29187 and CVE-2023-22742 => libgit2 new security issues CVE-2023-22742 and CVE-2024-24577CC: (none) => nicolas.salgueroWhiteboard: MGA8TOO => MGA9TOO
Suggested advisory: ======================== The updated packages fix security vulnerabilities: When using an SSH remote with the optional libssh2 backend, libgit2 does not perform certificate checking by default. (CVE-2023-22742) Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. (CVE-2024-24577) References: https://www.debian.org/lts/security/2023/dla-3340 https://github.com/libgit2/libgit2/security/advisories/GHSA-8643-3wh5-rmjq https://lists.suse.com/pipermail/sle-security-updates/2023-March/014158.html https://lists.debian.org/debian-lts-announce/2024/02/msg00012.html ======================== Updated packages in core/updates_testing: ======================== lib(64)git2_1.3-1.3.2-1.1.mga9 lib(64)git2-devel-1.3.2-1.1.mga9 from SRPM: libgit2-1.3.2-1.1.mga9.src.rpm
Status: NEW => ASSIGNEDWhiteboard: MGA9TOO => (none)Version: Cauldron => 9Assignee: thierry.vignaud => qa-bugs
Keywords: (none) => advisory
MGA9-64 Plasma Wayland on HP-Pavillion. No installation issues. Ref bug 26464, installed basket and added new basket with text file and som screenshot. All works OK.
Whiteboard: (none) => MGA9-64-OKCC: (none) => herman.viaene
Forgot to mention: I get a lot of warnings on Wayland at the CLI, but that doesn't stop basket working OK.
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0059.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED