FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-27 18:04:16 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
2523bc76-4f01-11ed-929b-002590f2a714git -- Multiple vulnerabilities

This release contains 2 security fixes:

CVE-2022-39253

When relying on the `--local` clone optimization, Git dereferences symbolic links in the source repository before creating hardlinks (or copies) of the dereferenced link in the destination repository. This can lead to surprising behavior where arbitrary files are present in a repository's `$GIT_DIR` when cloning from a malicious repository. Git will no longer dereference symbolic links via the `--local` clone mechanism, and will instead refuse to clone repositories that have symbolic links present in the `$GIT_DIR/objects` directory. Additionally, the value of `protocol.file.allow` is changed to be "user" by default.

CVE-2022-39260

An overly-long command string given to `git shell` can result in overflow in `split_cmdline()`, leading to arbitrary heap writes and remote code execution when `git shell` is exposed and the directory `$HOME/git-shell-commands` exists. `git shell` is taught to refuse interactive commands that are longer than 4MiB in size. `split_cmdline()` is hardened to reject inputs larger than 2GiB.


Discovery 2022-06-09
Entry 2022-10-18
git
< 2.38.1

git-lite
< 2.38.1

git-tiny
< 2.38.1

CVE-2022-39253
CVE-2022-39260
https://lore.kernel.org/git/xmqq4jw1uku5.fsf@gitster.g/T/#u
67765237-8470-11ea-a283-b42e99a1b9c3malicious URLs can cause git to send a stored credential to wrong server

git security advisory reports:

Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that are considered illegal as of the recently published Git versions can cause Git to send a "blank" pattern to helpers, missing hostname and protocol fields. Many helpers will interpret this as matching any URL, and will return some unspecified stored password, leaking the password to an attacker's server.


Discovery 2020-04-20
Entry 2020-04-22
git
ge 2.26.0 lt 2.26.2

ge 2.25.0 lt 2.25.4

ge 2.24.0 lt 2.24.3

ge 2.23.0 lt 2.23.3

ge 2.22.0 lt 2.22.4

ge 2.21.0 lt 2.21.3

ge 2.20.0 lt 2.20.4

ge 2.19.0 lt 2.19.5

ge 2.18.0 lt 2.18.4

ge 0 lt 2.17.5

git-lite
ge 2.26.0 lt 2.26.2

ge 2.25.0 lt 2.25.4

ge 2.24.0 lt 2.24.3

ge 2.23.0 lt 2.23.3

ge 2.22.0 lt 2.22.4

ge 2.21.0 lt 2.21.3

ge 2.20.0 lt 2.20.4

ge 2.19.0 lt 2.19.5

ge 2.18.0 lt 2.18.4

ge 0 lt 2.17.5

git-gui
ge 2.26.0 lt 2.26.2

ge 2.25.0 lt 2.25.4

ge 2.24.0 lt 2.24.3

ge 2.23.0 lt 2.23.3

ge 2.22.0 lt 2.22.4

ge 2.21.0 lt 2.21.3

ge 2.20.0 lt 2.20.4

ge 2.19.0 lt 2.19.5

ge 2.18.0 lt 2.18.4

ge 0 lt 2.17.5

https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7
CVE-2020-11008
ced2d47e-8469-11ea-a283-b42e99a1b9c3malicious URLs may present credentials to wrong server

git security advisory reports:

Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server for an HTTP request being made to another server, resulting in credentials for the former being sent to the latter.


Discovery 2020-04-14
Entry 2020-04-22
git
ge 2.26.0 lt 2.26.1

ge 2.25.0 lt 2.25.3

ge 2.24.0 lt 2.24.2

ge 2.23.0 lt 2.23.2

ge 2.22.0 lt 2.22.3

ge 2.21.0 lt 2.21.2

ge 2.20.0 lt 2.20.3

ge 2.19.0 lt 2.19.4

ge 2.18.0 lt 2.18.3

ge 0 lt 2.17.4

git-lite
ge 2.26.0 lt 2.26.1

ge 2.25.0 lt 2.25.3

ge 2.24.0 lt 2.24.2

ge 2.23.0 lt 2.23.2

ge 2.22.0 lt 2.22.3

ge 2.21.0 lt 2.21.2

ge 2.20.0 lt 2.20.3

ge 2.19.0 lt 2.19.4

ge 2.18.0 lt 2.18.3

ge 0 lt 2.17.4

git-gui
ge 2.26.0 lt 2.26.1

ge 2.25.0 lt 2.25.3

ge 2.24.0 lt 2.24.2

ge 2.23.0 lt 2.23.2

ge 2.22.0 lt 2.22.3

ge 2.21.0 lt 2.21.2

ge 2.20.0 lt 2.20.3

ge 2.19.0 lt 2.19.4

ge 2.18.0 lt 2.18.3

ge 0 lt 2.17.4

https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q
CVE-2020-5260
b99f99f6-021e-11ed-8c6f-000c29ffbb6cgit -- privilege escalation

The git project reports:

Git is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository.


Discovery 2022-07-12
Entry 2022-07-12
git
< 2.37.1

CVE-2022-29187
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29187