Ubuntu
git package

Github says 2.25.1 is vulnerable

Asked by Rahul Kojrekar

Hello,

We are using Ubuntu 20.04: git - 1:2.25.1-1ubuntu3.10 on our ec2 machine. When we do git --version it says git 2.25.1

My question is that github is saying that

Affected versions
<= v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, v2.37.4, v2.38.2, v2.39.0

While this ubuntu post is saying https://ubuntu.com/security/notices/USN-5871-1

git - 1:2.25.1-1ubuntu3.10 is fixed version. The git version command on our ec2 instancce using this ubuntu package is showing 2.25.1 version.

I am confused who is saying correct, ubuntu or github? :-)

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu git Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Bernard Stafford (bernard010) said : 		#1

Both, the information is correct.
At the bottom of the page: "In general, a standard system update will make all the necessary changes."
You should update your computer. The update will be in your regular updates.

Revision history for this message
Manfred Hampl (m-hampl) said : 		#2

Some additional details about the way Ubuntu usually is handling such cases:

The original git version 2.25.1 is vulnerable, and that version was also packaged for Ubuntu 20.04 (version was named 2.25.1-1ubuntu3)
For dealing with the newly-detected vulnerability Ubuntu now did not upgrade git to a higher version in Ubuntu 20.04, but applied bug fixes.
The updated version with the fixes in Ubuntu 20.04 is now called version 2.25.1-1ubuntu3.10
Running "git --version" of course still shows "2.25.1", but in Ubuntu the version that shows 2.25.1 is a "fixed" version.

Details from the change log:
git (1:2.25.1-1ubuntu3.10) focal-security; urgency=medium

  * SECURITY UPDATE: Overwritten path and using
    local clone optimization even when using a non-local transport
    - debian/patches/CVE_2023-22490_and_23946/0002-*.patch: adjust
      a mismatch data type in attr.c.
    - debian/patches/CVE_2023-22490_and_23946/0003-*.patch: demonstrate
      clone_local() with ambiguous transport in
      t/t5619-clone-local-ambiguous-transport.sh.
    - debian/patches/CVE_2023-22490_and_23946/0004-*.patch: delay
      picking a transport until after get_repo_path() in builtin/clone.c.
    - debian/patches/CVE_2023-22490_and_23946/0005-*.patch: prevent top-level
      symlinks without FOLLOW_SYMLINKS in dir-iterator, dir-iterator.h,
      t/t0066-dir-iterator.sh, t/t5604-clone-reference.sh.
    - debian/patches/CVE_2023-22490_and_23946/0006-*.patch: fix writing behind
      newly created symbolic links in apply.c, t/t4115-apply-symlink.sh.
    - CVE-2023-22490
    - CVE-2023-23946

Can you help with this problem?

Provide an answer of your own, or ask Rahul Kojrekar for more information if necessary.

To post a message you must log in.