Uprev libgit to v1.3.1 #911

2022-04-14T08:53:00-05:00

lhchavez commented

2022-04-14 08:53:00 -05:00

(Migrated from github.com)

🔒 This is a security release to provide compatibility with git's
changes to address CVE
2022-24765.

libgit2 (and by extension git2go) are not directly affected by this
vulnerability, because libgit2 does not directly invoke any executable.
But we are providing these changes as a security release for any users
that use libgit2 for repository discovery and then also use git on that
repository. In this release, we will now validate that the user opening
the repository is the same user that owns the on-disk repository. This
is to match git's behavior.

In addition, we are providing several correctness fixes where invalid
input can lead to a crash. These may prevent possible denial of service
attacks. At this time there are not known exploits to these issues.

🔒 This is a security release to provide compatibility with git's changes to address [CVE 2022-24765](https://github.blog/2022-04-12-git-security-vulnerability-announced/). libgit2 (and by extension git2go) are not directly affected by this vulnerability, because libgit2 does not directly invoke any executable. But we are providing these changes as a security release for any users that use libgit2 for repository discovery and then also use git on that repository. In this release, we will now validate that the user opening the repository is the same user that owns the on-disk repository. This is to match git's behavior. In addition, we are providing several correctness fixes where invalid input can lead to a crash. These may prevent possible denial of service attacks. At this time there are not known exploits to these issues.

Sign in to join this conversation.

No reviewers