Your message dated Tue, 25 Nov 2025 10:06:06 +0000
with message-id <[email protected]>
and subject line Bug#1118339: fixed in git-lfs 3.7.1-1
has caused the Debian Bug report #1118339,
regarding git-lfs: CVE-2025-26625
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1118339: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118339
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: git-lfs
Version: 3.6.1-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for git-lfs.
CVE-2025-26625[0]:
| Git LFS is a Git extension for versioning large files. In Git LFS
| versions 0.5.2 through 3.7.0, when populating a Git repository's
| working tree with the contents of Git LFS objects, certain Git LFS
| commands may write to files visible outside the current Git working
| tree if symbolic or hard links exist which collide with the paths of
| files tracked by Git LFS. The git lfs checkout and git lfs pull
| commands do not check for symbolic links before writing to files in
| the working tree, allowing an attacker to craft a repository
| containing symbolic or hard links that cause Git LFS to write to
| arbitrary file system locations accessible to the user running these
| commands. As well, when the git lfs checkout and git lfs pull
| commands are run in a bare repository, they could write to files
| visible outside the repository. The vulnerability is fixed in
| version 3.7.1. As a workaround, support for symlinks in Git may be
| disabled by setting the core.symlinks configuration option to false,
| after which further clones and fetches will not create symbolic
| links. However, any symbolic or hard links in existing repositories
| will still provide the opportunity for Git LFS to write to their
| targets.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-26625
https://www.cve.org/CVERecord?id=CVE-2025-26625
[1] https://github.com/git-lfs/git-lfs/security/advisories/GHSA-6pvw-g552-53c5
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: git-lfs
Source-Version: 3.7.1-1
Done: Stephen Gelman <[email protected]>
We believe that the bug you reported is fixed in the latest version of
git-lfs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stephen Gelman <[email protected]> (supplier of updated git-lfs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 25 Nov 2025 01:32:12 -0600
Source: git-lfs
Architecture: source
Version: 3.7.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Stephen Gelman <[email protected]>
Closes: 1118339
Changes:
git-lfs (3.7.1-1) unstable; urgency=medium
.
* New upstream release (Closes: #1118339)
* Update standards version to 4.7.2
* Update watch file to version 4
* Clean up some superfluous options in the control file
Checksums-Sha1:
f477950e49b91007ecda1451be6a0c9d8847a1dd 2778 git-lfs_3.7.1-1.dsc
b3641b929a5426b26f4955bdd689dd01c625d8bf 713950 git-lfs_3.7.1.orig.tar.gz
1e03ce7fe409b530778eccd35731e71a3b10639b 4732 git-lfs_3.7.1-1.debian.tar.xz
c41d139cfbf5e262796893f8a943fee1b257dfdb 11819 git-lfs_3.7.1-1_amd64.buildinfo
Checksums-Sha256:
06b9064f2975613c5fce17e96e768657f27c59825d19b86d0a3c37be9a1725b8 2778
git-lfs_3.7.1-1.dsc
0e83566a9e2477e03627e7fd6bf81f01fadbf93dcaf6abd2686fca90f6bac7dd 713950
git-lfs_3.7.1.orig.tar.gz
661101b49b4e39175703e93a5c2b6bb27468d2242867ad422516b55a0fc91771 4732
git-lfs_3.7.1-1.debian.tar.xz
87bc10ebfc7e1529b0e1fe470742c75c69929f255ea471ff66816aeeb951ab9d 11819
git-lfs_3.7.1-1_amd64.buildinfo
Files:
7a79155f964f8bf2a3bc7b1d958bac14 2778 vcs optional git-lfs_3.7.1-1.dsc
e22d7ec37656fa9210a043534b6e2d2d 713950 vcs optional git-lfs_3.7.1.orig.tar.gz
fc06c77980e082dd0266a9110478587a 4732 vcs optional
git-lfs_3.7.1-1.debian.tar.xz
30d301e7f0a9b9a2365c61150df89a9e 11819 vcs optional
git-lfs_3.7.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAwFiEEC77u8GTpSr6EMli0dUHPqvw16s8FAmklYLcSHHNzZ2VsbUBk
ZWJpYW4ub3JnAAoJEHVBz6r8NerPUzoP+Oc4ddAX+rMyS92vaQ5+1gbh/FJX2VEh
x9SGO2/q2+vyu5EXvXvGXzN1tw7o9SqULlTxJRiT3Hc9+UbyX5Dp41MKgjnq9o1N
oZm4bxC08FjZfQXOP7dbh/cDTljXNxxIYRJMfEMBgVnrgTmxwdyjoohNE8Q2zKmz
A/b1Er6Ffm0IsQYW9vidHrunun5SQWoHKgeg2VFYBKI6uhn3k8r+MIae1/q7G0rv
joN65BlF9smhz8yk+tnbDhnnRM8gd3CATU4trQzg8JZRhzgA9qcyKp0DtTi6S+/G
fMYp76CubxiGsLQwCCJWpqA5khREsujYMm4mMn5ciYuLOmC4ST9yo8yUxq0s65ve
3AIv+zSBj3WuqE2q9d/BgS3LkE9Rzmte9YaWn+tlyvUCv5IbZJTsp4dAw5o/Ndmp
TjtBwFT8EQzmRj9Gmfjm++g4NcUedfTuBlarcOhpWwWkmI/dmDoOOdWFa59Z6mU2
zhH4O26VUNZaWwv4hhtaO/HfL5QR9dlS9+IY7C91R+7uBgESAxRUa11kgTl4hgQ+
+zc0GYwlJPZEqYdyMO/aUtC0qLOZk3e/OdjSJTx3wv6NYc8Pyr0DtX4G6YaNKWFp
4POOjrRkFKrpc8+Z8nGlMF3M3+LVAxtEHpO4uDbsTdX4+OcBFGAo1qVV28eKz5in
7/pSbxBMxfA=
=0YEt
-----END PGP SIGNATURE-----
pgpNTAbZR3lND.pgp
Description: PGP signature
--- End Message ---
