Source: git Version: 1:2.39.5-0+deb12u1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1:2.45.2-1 Control: found -1 1:2.47.1-1
Hi, The following vulnerabilities were published for git. CVE-2024-50349[0]: | Git is a fast, scalable, distributed revision control system with an | unusually rich command set that provides both high-level operations | and full access to internals. When Git asks for credentials via a | terminal prompt (i.e. without using any credential helper), it | prints out the host name for which the user is expected to provide a | username and/or a password. At this stage, any URL-encoded parts | have been decoded already, and are printed verbatim. This allows | attackers to craft URLs that contain ANSI escape sequences that the | terminal interpret to confuse users e.g. into providing passwords | for trusted Git hosting sites when in fact they are then sent to | untrusted sites that are under the attacker's control. This issue | has been patch via commits `7725b81` and `c903985` which are | included in release versions v2.48.1, v2.47.1, v2.46.3, v2.45.3, | v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised | to upgrade. Users unable to upgrade should avoid cloning from | untrusted URLs, especially recursive clones. CVE-2024-52006[1]: | Git is a fast, scalable, distributed revision control system with an | unusually rich command set that provides both high-level operations | and full access to internals. Git defines a line-based protocol that | is used to exchange information between Git and Git credential | helpers. Some ecosystems (most notably, .NET and node.js) interpret | single Carriage Return characters as newlines, which renders the | protections against CVE-2020-5260 incomplete for credential helpers | that treat Carriage Returns in this way. This issue has been | addressed in commit `b01b9b8` which is included in release versions | v2.48.1, v2.47.1, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, | v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to | upgrade should avoid cloning from untrusted URLs, especially | recursive clones. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-50349 https://www.cve.org/CVERecord?id=CVE-2024-50349 [1] https://security-tracker.debian.org/tracker/CVE-2024-52006 https://www.cve.org/CVERecord?id=CVE-2024-52006 [2] https://www.openwall.com/lists/oss-security/2025/01/14/4 Regards, Salvatore
