openSUSE has issued an advisory on January 16: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/U4RACGLXZEZGUX7BZLFN4GQOHFBHL6FO/
Status comment: (none) => Fixed upstream in 3.6.1Source RPM: (none) => git-lfs-3.2.0-1.mga9.src.rpmWhiteboard: (none) => MGA9TOOCVE: (none) => CVE-2024-53263
NicolasS is already doing this, so changing the assignment.
Assignee: bugsquad => nicolas.salguero
Debian has issued an advisory on January 24: https://lists.debian.org/debian-security-announce/2025/msg00011.html
Suggested advisory: ======================== The updated packages fix a security vulnerability: Git LFS permits exfiltration of credentials via crafted HTTP URLs. (CVE-2024-53263) References: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/U4RACGLXZEZGUX7BZLFN4GQOHFBHL6FO/ https://lists.debian.org/debian-security-announce/2025/msg00011.html ======================== Updated packages in core/updates_testing: ======================== git-lfs-3.2.0-1.1.mga9 golang-github-git-lfs-3-devel-3.2.0-1.1.mga9 from SRPM: git-lfs-3.2.0-1.1.mga9.src.rpm
Assignee: nicolas.salguero => qa-bugsWhiteboard: MGA9TOO => (none)Version: Cauldron => 9Status comment: Fixed upstream in 3.6.1 => (none)Status: NEW => ASSIGNED
MGA9-64 Plasma Wayland on Compaq H000SB Installation draws in some 376 git- and golang packages. AFAICS is git and golang developer territory and there are no previous updates, so giving the OK on clean install.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarmKeywords: (none) => advisory
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0028.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED