An update for git is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2023-1120 Final 1.0 1.0 2023-02-24 Initial 2023-02-24 2023-02-24 openEuler SA Tool V1.0 2023-02-24 git security update An update for git is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1. Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency.Git is easy to learn and has a tiny footprint with lightning fast performance. It outclasses SCM tools like Subversion, CVS, Perforce,and ClearCase with features like cheap local branching, convenient staging areas, and multiple workflows. Security Fix(es): Git is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8 can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source `$GIT_DIR/objects` directory contains symbolic links, the `objects` directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253. A fix has been prepared and will appear in v2.39.2 v2.38.4 v2.37.6 v2.36.5 v2.35.7 v2.34.7 v2.33.7 v2.32.6, v2.31.7 and v2.30.8. If upgrading is impractical, two short-term workarounds are available. Avoid cloning repositories from untrusted sources with `--recurse-submodules`. Instead, consider cloning repositories without recursively cloning their submodules, and instead run `git submodule update` at each layer. Before doing so, inspect each new `.gitmodules` file to ensure that it does not contain suspicious module URLs.(CVE-2023-22490) Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to `git apply`, a path outside the working tree can be overwritten as the user who is running `git apply`. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use `git apply --stat` to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.(CVE-2023-23946) An update for git is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium git https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1120 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-22490 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-23946 https://nvd.nist.gov/vuln/detail/CVE-2023-22490 https://nvd.nist.gov/vuln/detail/CVE-2023-23946 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 git-debugsource-2.27.0-12.oe1.aarch64.rpm git-debuginfo-2.27.0-12.oe1.aarch64.rpm git-daemon-2.27.0-12.oe1.aarch64.rpm git-2.27.0-12.oe1.aarch64.rpm git-2.27.0-15.oe1.aarch64.rpm git-debugsource-2.27.0-15.oe1.aarch64.rpm git-debuginfo-2.27.0-15.oe1.aarch64.rpm git-daemon-2.27.0-15.oe1.aarch64.rpm git-2.33.0-8.oe2203.aarch64.rpm git-daemon-2.33.0-8.oe2203.aarch64.rpm git-debuginfo-2.33.0-8.oe2203.aarch64.rpm git-debugsource-2.33.0-8.oe2203.aarch64.rpm git-debuginfo-2.33.0-9.oe2203sp1.aarch64.rpm git-daemon-2.33.0-9.oe2203sp1.aarch64.rpm git-core-2.33.0-9.oe2203sp1.aarch64.rpm git-debugsource-2.33.0-9.oe2203sp1.aarch64.rpm git-2.33.0-9.oe2203sp1.aarch64.rpm perl-Git-2.27.0-12.oe1.noarch.rpm git-web-2.27.0-12.oe1.noarch.rpm gitk-2.27.0-12.oe1.noarch.rpm git-email-2.27.0-12.oe1.noarch.rpm git-gui-2.27.0-12.oe1.noarch.rpm git-help-2.27.0-12.oe1.noarch.rpm git-svn-2.27.0-12.oe1.noarch.rpm perl-Git-SVN-2.27.0-12.oe1.noarch.rpm git-svn-2.27.0-15.oe1.noarch.rpm gitk-2.27.0-15.oe1.noarch.rpm git-help-2.27.0-15.oe1.noarch.rpm git-gui-2.27.0-15.oe1.noarch.rpm git-email-2.27.0-15.oe1.noarch.rpm git-web-2.27.0-15.oe1.noarch.rpm perl-Git-SVN-2.27.0-15.oe1.noarch.rpm perl-Git-2.27.0-15.oe1.noarch.rpm perl-Git-2.33.0-8.oe2203.noarch.rpm git-gui-2.33.0-8.oe2203.noarch.rpm git-svn-2.33.0-8.oe2203.noarch.rpm perl-Git-SVN-2.33.0-8.oe2203.noarch.rpm gitk-2.33.0-8.oe2203.noarch.rpm git-help-2.33.0-8.oe2203.noarch.rpm git-web-2.33.0-8.oe2203.noarch.rpm git-email-2.33.0-8.oe2203.noarch.rpm git-help-2.33.0-9.oe2203sp1.noarch.rpm gitk-2.33.0-9.oe2203sp1.noarch.rpm git-gui-2.33.0-9.oe2203sp1.noarch.rpm perl-Git-2.33.0-9.oe2203sp1.noarch.rpm git-email-2.33.0-9.oe2203sp1.noarch.rpm git-svn-2.33.0-9.oe2203sp1.noarch.rpm git-web-2.33.0-9.oe2203sp1.noarch.rpm perl-Git-SVN-2.33.0-9.oe2203sp1.noarch.rpm git-2.27.0-12.oe1.src.rpm git-2.27.0-15.oe1.src.rpm git-2.33.0-8.oe2203.src.rpm git-2.33.0-9.oe2203sp1.src.rpm git-debuginfo-2.27.0-12.oe1.x86_64.rpm git-daemon-2.27.0-12.oe1.x86_64.rpm git-debugsource-2.27.0-12.oe1.x86_64.rpm git-2.27.0-12.oe1.x86_64.rpm git-daemon-2.27.0-15.oe1.x86_64.rpm git-debuginfo-2.27.0-15.oe1.x86_64.rpm git-debugsource-2.27.0-15.oe1.x86_64.rpm git-2.27.0-15.oe1.x86_64.rpm git-debuginfo-2.33.0-8.oe2203.x86_64.rpm git-debugsource-2.33.0-8.oe2203.x86_64.rpm git-daemon-2.33.0-8.oe2203.x86_64.rpm git-2.33.0-8.oe2203.x86_64.rpm git-daemon-2.33.0-9.oe2203sp1.x86_64.rpm git-2.33.0-9.oe2203sp1.x86_64.rpm git-core-2.33.0-9.oe2203sp1.x86_64.rpm git-debuginfo-2.33.0-9.oe2203sp1.x86_64.rpm git-debugsource-2.33.0-9.oe2203sp1.x86_64.rpm Git is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8 can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source `$GIT_DIR/objects` directory contains symbolic links, the `objects` directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253. A fix has been prepared and will appear in v2.39.2 v2.38.4 v2.37.6 v2.36.5 v2.35.7 v2.34.7 v2.33.7 v2.32.6, v2.31.7 and v2.30.8. If upgrading is impractical, two short-term workarounds are available. Avoid cloning repositories from untrusted sources with `--recurse-submodules`. Instead, consider cloning repositories without recursively cloning their submodules, and instead run `git submodule update` at each layer. Before doing so, inspect each new `.gitmodules` file to ensure that it does not contain suspicious module URLs. 2023-02-24 CVE-2023-22490 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 Medium 5.5 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N git security update 2023-02-24 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1120 Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to `git apply`, a path outside the working tree can be overwritten as the user who is running `git apply`. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use `git apply --stat` to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link. 2023-02-24 CVE-2023-23946 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 Medium 6.2 AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N git security update 2023-02-24 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1120