Browse Source
Signed-off-by: Taylor Blau <me@ttaylorr.com> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>main v2.30.9
Taylor Blau
2 years ago
committed by
Johannes Schindelin
3 changed files with 45 additions and 2 deletions
@ -0,0 +1,43 @@
@@ -0,0 +1,43 @@
|
||||
Git v2.30.9 Release Notes |
||||
========================= |
||||
|
||||
This release addresses the security issues CVE-2023-25652, |
||||
CVE-2023-25815, and CVE-2023-29007. |
||||
|
||||
|
||||
Fixes since v2.30.8 |
||||
------------------- |
||||
|
||||
* CVE-2023-25652: |
||||
|
||||
By feeding specially crafted input to `git apply --reject`, a |
||||
path outside the working tree can be overwritten with partially |
||||
controlled contents (corresponding to the rejected hunk(s) from |
||||
the given patch). |
||||
|
||||
* CVE-2023-25815: |
||||
|
||||
When Git is compiled with runtime prefix support and runs without |
||||
translated messages, it still used the gettext machinery to |
||||
display messages, which subsequently potentially looked for |
||||
translated messages in unexpected places. This allowed for |
||||
malicious placement of crafted messages. |
||||
|
||||
* CVE-2023-29007: |
||||
|
||||
When renaming or deleting a section from a configuration file, |
||||
certain malicious configuration values may be misinterpreted as |
||||
the beginning of a new configuration section, leading to arbitrary |
||||
configuration injection. |
||||
|
||||
Credit for finding CVE-2023-25652 goes to Ry0taK, and the fix was |
||||
developed by Taylor Blau, Junio C Hamano and Johannes Schindelin, |
||||
with the help of Linus Torvalds. |
||||
|
||||
Credit for finding CVE-2023-25815 goes to Maxime Escourbiac and |
||||
Yassine BENGANA of Michelin, and the fix was developed by Johannes |
||||
Schindelin. |
||||
|
||||
Credit for finding CVE-2023-29007 goes to André Baptista and Vítor Pinho |
||||
of Ethiack, and the fix was developed by Taylor Blau, and Johannes |
||||
Schindelin, with help from Jeff King, and Patrick Steinhardt. |
Loading…
Reference in new issue