|
|
Log in / Subscribe / Register

Ubuntu alert USN-7977-1 (git-lfs)



From:
              noreply+usn-bot@canonical.com


To:
              ubuntu-security-announce@lists.ubuntu.com


Subject:
              [USN-7977-1] Git LFS vulnerabilities


Date:
              Mon, 26 Jan 2026 18:56:25 +0000


Message-ID:
              <E1vkRlB-0001Ll-7b@lists.ubuntu.com>


==========================================================================
Ubuntu Security Notice USN-7977-1
January 26, 2026

git-lfs vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in Git LFS.

Software Description:
- git-lfs: Command line extension and spec for managing large files with Git

Details:

Ryota K discovered that Git LFS may leak login credentials in certain
instances due to failing to check for URL-encoded characters. An
attacker could possibly use this issue to learn sensitive information.
(CVE-2024-53263)

It was discovered that Git LFS could have its git lfs checkout and
git lfs pull commands abused to write to any file on a user's
system. An attacker could possibly use this issue to execute arbitrary
code. This issue was only addressed in Ubuntu 24.04 LTS and
Ubuntu 25.10. (CVE-2025-26625)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.10
  git-lfs                         3.6.1-1ubuntu0.1
  golang-github-git-lfs-git-lfs-dev  3.6.1-1ubuntu0.1

Ubuntu 24.04 LTS
  git-lfs                         3.4.1-1ubuntu0.3+esm2
                                  Available with Ubuntu Pro
  golang-github-git-lfs-git-lfs-dev  3.4.1-1ubuntu0.3+esm2
                                  Available with Ubuntu Pro

Ubuntu 22.04 LTS
  git-lfs                         3.0.2-1ubuntu0.3+esm2
                                  Available with Ubuntu Pro
  golang-github-git-lfs-git-lfs-dev  3.0.2-1ubuntu0.3+esm2
                                  Available with Ubuntu Pro

Ubuntu 20.04 LTS
  git-lfs                         2.9.2-1ubuntu0.1~esm2
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS
  git-lfs                         2.3.4-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7977-1
  CVE-2024-53263, CVE-2025-26625

Package Information:
  https://launchpad.net/ubuntu/+source/git-lfs/3.6.1-1ubunt...




Attachment: signature.asc (type=application/pgp-signature)

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAml3uHoACgkQcpJm3tlz
hgF8oBAAoxVEzdCmagjOE/U8LKt/svfOCEgS3qBjghGyZ2I+9WOg4Txo1zNAEAvd
XxRDskGkF5rAqNm/bZ7dmnNWPAsb7BPXqbVXEwRmQImv3ZjkQQv7sB7pocdh8Aix
D4oSt2Rt4GvxCwz03/A/X0HzMn3woZzcV4Zm7czeSR+o5+IcdIUUDlGH1uurN0cQ
Z0WxslNyqyGubelMEjnBqL0CbgjNgRv2Mv2WvNHkZfawUF8NSKdM2rO4PitqXLdI
lQW8aPzcSG2L2rnIvXO8Hk8n3KfQL+WLxgZWG885UjqoDgGIXn86M2oDUt97AUsC
v5Tab2vYyegNY16mJnRCKrU/pPe5lZYmuFAlnYBNzmvckOOiQGjGbwsi0vdZgUsY
BU+gP7T8rcBX6MoX5Ax3ctmOXi72pT9//QPLBs+fMg6HM9a0HKWjoMpXzwzaxuwI
L938Ne4MMXTA9uClbZgEoTJ1dHERn5kUjBL47WRpYxlP7UB+CD8HFhep7q5WtRcG
kLD17laYQ2KSbgJXWk9+utXH4QCjGI1vkV4nd15hj9ZnCtCR+AlYqLn1kHvNbAk8
LpOh8h3Ss+KdED5rlpp95owo5eIhYQpO2hOUWXauuZKiLqggB/Ta+H1ApREUYO2M
WxroK7HM/jyuWeLNOTj4Oxqyrqgkd0mvbYQ4wPJvsMpcXn75UrQ=
=rcMd
-----END PGP SIGNATURE-----
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds