Debian alert DLA-4028-1 (git-lfs)
| From: | Andrej Shadura <andrewsh@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 4028-1] git-lfs security update | |
| Date: | Wed, 22 Jan 2025 17:44:44 +0100 | |
| Message-ID: | <20250122164447.226461-1-andrewsh@debian.org> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4028-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Andrej Shadura January 22, 2025 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : git-lfs Version : 2.13.2-1+deb11u1 CVE ID : CVE-2024-53263 Debian Bug : 1093048 CVE-2024-53263 When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the `git-credential(1)` command without checking for embedded line-ending control characters, and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to retrieve a user's Git credentials. For Debian 11 bullseye, this problem has been fixed in version 2.13.2-1+deb11u1. We recommend that you upgrade your git-lfs packages. For the detailed security status of git-lfs please refer to its security tracker page at: https://security-tracker.debian.org/tracker/git-lfs Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQSD3NF/RLIsyDZW7aHoRGtKyMdyYQUCZ5CvVgAKCRDoRGtKyMdy YaVCAQCrQbGfWI5S738L76FF/vWIK+rvyOlCjE5jG4dx+qEkhgEA95PoKO8qJwa4 DQRM2aj22AINH7NRbsURI5TD+bSReQM= =jlCT -----END PGP SIGNATURE-----