oss-sec mailing list archives
CVE Request: two security fixes in libgit2 0.25.1, 0.24.6
From: Andreas Stieger <astieger () suse com>
Date: Tue, 10 Jan 2017 11:31:37 +0100
Hello, libgit2 released: https://github.com/libgit2/libgit2/releases/tag/v0.25.1 https://github.com/libgit2/libgit2/releases/tag/v0.24.6 with the following two fixes: [...] performs extra sanitization for some edge cases in the Git Smart Protocol which can lead to attempting to parse outside of the buffer. https://github.com/libgit2/libgit2/commit/66e3774d279672ee51c3b54545a79d20d1ada834 https://github.com/libgit2/libgit2/commit/2fdef641fd0dd2828bd948234ae86de75221a11a [...] fix affects the certificate check callback. It provides a valid parameter to indicate whether the native cryptographic library considered the certificate to be correct. This parameter is always 1/true before this fix leading to a possible MITM. This does not affect you if you do not use the custom certificate callback or if you do not take this value into account. This does affect you if you use pygit2 or git2go regardless of whether you specify a certificate check callback. https://github.com/libgit2/libgit2/commit/9a64e62f0f20c9cf9b2e1609f037060eb2d8eb22 https://github.com/libgit2/libgit2/commit/98d66240ecb7765e191da19b535c75c92ccc90fe https://github.com/libgit2/libgit2/commit/3829ba2e710553893faf6336cc6b2f3fc17a293e https://github.com/libgit2/libgit2/commit/2ac57aa89bde788173b54bd153430369deec64c0 Could CVEs please be assigned? Thanks, Andreas -- Andreas Stieger <astieger () suse com> Project Manager Security SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE Request: two security fixes in libgit2 0.25.1, 0.24.6 Andreas Stieger (Jan 10)
- Re: CVE Request: two security fixes in libgit2 0.25.1, 0.24.6 cve-assign (Jan 10)
- Re: CVE Request: two security fixes in libgit2 0.25.1, 0.24.6 Carlos Martín Nieto (Jan 11)
- Re: CVE Request: two security fixes in libgit2 0.25.1, 0.24.6 cve-assign (Jan 10)