Source: libgit2 Version: 1.5.0+ds-6 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for libgit2. CVE-2023-22742[0]: | libgit2 is a cross-platform, linkable library implementation of Git. | When using an SSH remote with the optional libssh2 backend, libgit2 | does not perform certificate checking by default. Prior versions of | libgit2 require the caller to set the `certificate_check` field of | libgit2's `git_remote_callbacks` structure - if a certificate check | callback is not set, libgit2 does not perform any certificate | checking. This means that by default - without configuring a | certificate check callback, clients will not perform validation on the | server SSH keys and may be subject to a man-in-the-middle attack. | Users are encouraged to upgrade to v1.4.5 or v1.5.1. Users unable to | upgrade should ensure that all relevant certificates are manually | checked. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-22742 https://www.cve.org/CVERecord?id=CVE-2023-22742 [1] https://github.com/libgit2/libgit2/security/advisories/GHSA-8643-3wh5-rmjq [2] https://github.com/libgit2/libgit2/commit/42e5db98b963ae503229c63e44e06e439df50e56 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
