Github says 2.25.1 is vulnerable

Asked by Rahul Kojrekar


We are using Ubuntu 20.04: git - 1:2.25.1-1ubuntu3.10 on our ec2 machine. When we do git --version it says git 2.25.1

My question is that github is saying that

Affected versions
<= v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, v2.37.4, v2.38.2, v2.39.0

While this ubuntu post is saying

git - 1:2.25.1-1ubuntu3.10 is fixed version. The git version command on our ec2 instancce using this ubuntu package is showing 2.25.1 version.

I am confused who is saying correct, ubuntu or github? :-)

Question information

English Edit question
Ubuntu git Edit question
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Bernard Stafford (bernard010) said :

Both, the information is correct.
At the bottom of the page: "In general, a standard system update will make all the necessary changes."
You should update your computer. The update will be in your regular updates.

Revision history for this message
Manfred Hampl (m-hampl) said :

Some additional details about the way Ubuntu usually is handling such cases:

The original git version 2.25.1 is vulnerable, and that version was also packaged for Ubuntu 20.04 (version was named 2.25.1-1ubuntu3)
For dealing with the newly-detected vulnerability Ubuntu now did not upgrade git to a higher version in Ubuntu 20.04, but applied bug fixes.
The updated version with the fixes in Ubuntu 20.04 is now called version 2.25.1-1ubuntu3.10
Running "git --version" of course still shows "2.25.1", but in Ubuntu the version that shows 2.25.1 is a "fixed" version.

Details from the change log:
git (1:2.25.1-1ubuntu3.10) focal-security; urgency=medium

  * SECURITY UPDATE: Overwritten path and using
    local clone optimization even when using a non-local transport
    - debian/patches/CVE_2023-22490_and_23946/0002-*.patch: adjust
      a mismatch data type in attr.c.
    - debian/patches/CVE_2023-22490_and_23946/0003-*.patch: demonstrate
      clone_local() with ambiguous transport in
    - debian/patches/CVE_2023-22490_and_23946/0004-*.patch: delay
      picking a transport until after get_repo_path() in builtin/clone.c.
    - debian/patches/CVE_2023-22490_and_23946/0005-*.patch: prevent top-level
      symlinks without FOLLOW_SYMLINKS in dir-iterator, dir-iterator.h,
      t/, t/
    - debian/patches/CVE_2023-22490_and_23946/0006-*.patch: fix writing behind
      newly created symbolic links in apply.c, t/
    - CVE-2023-22490
    - CVE-2023-23946

Can you help with this problem?

Provide an answer of your own, or ask Rahul Kojrekar for more information if necessary.

To post a message you must log in.