Everybody please update their git clients (SECURITY)

For topics that do not fit in another sub-forum.

Moderator: Oberlus

Post Reply
Message
Author
Ophiuchus
Programmer
Posts: 3433
Joined: Tue Sep 30, 2014 10:01 am
Location: Wall IV

Everybody please update their git clients (SECURITY)

#1 Post by Ophiuchus »

Git (<=2.26) can be made to leak credentials. git >= 2.26.1 fixes this.

https://github.blog/2020-04-14-git-cred ... announced/
Any code or patches in anything posted here is released under the CC and GPL licences in use for the FO project.

Look, ma... four combat bouts!

User avatar
Oberlus
Cosmic Dragon
Posts: 5714
Joined: Mon Apr 10, 2017 4:25 pm

Re: Everybody please update their git clients (SECURITY)

#2 Post by Oberlus »

Ophiuchus wrote: Wed Apr 15, 2020 4:58 pm Git (<=2.26) can be made to leak credentials. git >= 2.26.1 fixes this.
Thanks for the notice!

I successfully upgraded my Ubuntu 18.04 git to 2.26.1 by doing this:

Code: Select all

sudo add-apt-repository ppa:git-core/ppa
sudo apt update
sudo apt upgrade

Ophiuchus
Programmer
Posts: 3433
Joined: Tue Sep 30, 2014 10:01 am
Location: Wall IV

Re: Everybody please update their git clients (SECURITY)

#3 Post by Ophiuchus »

Oberlus wrote: Wed Apr 15, 2020 7:51 pm
Ophiuchus wrote: Wed Apr 15, 2020 4:58 pm Git (<=2.26) can be made to leak credentials. git >= 2.26.1 fixes this.
Thanks for the notice!

I successfully upgraded my Ubuntu 18.04 git to 2.26.1 by doing this:

Code: Select all

sudo add-apt-repository ppa:git-core/ppa
sudo apt update
sudo apt upgrade
Hm.
I would be pretty sure that ubuntu 18.04 has fixes available at the time of disclosure.. ah, found it https://usn.ubuntu.com/4329-1/

Code: Select all

Ubuntu 18.04 LTS
    git - 1:2.17.1-1ubuntu0.6
that one is in the standard bionic-updates repository.
Any code or patches in anything posted here is released under the CC and GPL licences in use for the FO project.

Look, ma... four combat bouts!

User avatar
Oberlus
Cosmic Dragon
Posts: 5714
Joined: Mon Apr 10, 2017 4:25 pm

Re: Everybody please update their git clients (SECURITY)

#4 Post by Oberlus »

Well, I first tried sudo apt upgrade and got 0 updates, so I looked for a newest version. Maybe it got installed automatically a few hours earlier.
if 2.26 causes any trouble I'll revert back.Otherwise I'm ahead of my time 8)

User avatar
adrian_broher
Programmer
Posts: 1156
Joined: Fri Mar 01, 2013 9:52 am
Location: Germany

Re: Everybody please update their git clients (SECURITY)

#5 Post by adrian_broher »

Resident code gremlin
Attached patches are released under GPL 2.0 or later.
Git author: Marcel Metz

Ophiuchus
Programmer
Posts: 3433
Joined: Tue Sep 30, 2014 10:01 am
Location: Wall IV

Re: Everybody please update their git clients (SECURITY)

#6 Post by Ophiuchus »

adrian_broher wrote: Tue Apr 21, 2020 11:02 pm The blog article is incomplete:

https://github.com/git/git/security/adv ... -c969-7j4q
Almost missed the link in the first line of the blog post.

Anything specifically important missing?
Any code or patches in anything posted here is released under the CC and GPL licences in use for the FO project.

Look, ma... four combat bouts!

User avatar
Oberlus
Cosmic Dragon
Posts: 5714
Joined: Mon Apr 10, 2017 4:25 pm

Re: Everybody please update their git clients (SECURITY)

#7 Post by Oberlus »

Ophiuchus wrote: Wed Apr 22, 2020 5:44 am Anything specifically important missing?
Mostly that git >= 2.26.1 does not fix it, it should be git >= 2.26.2

Ophiuchus
Programmer
Posts: 3433
Joined: Tue Sep 30, 2014 10:01 am
Location: Wall IV

Re: Everybody please update their git clients (SECURITY)

#8 Post by Ophiuchus »

Oberlus wrote: Wed Apr 22, 2020 7:30 am
Ophiuchus wrote: Wed Apr 22, 2020 5:44 am Anything specifically important missing?
Mostly that git >= 2.26.1 does not fix it, it should be git >= 2.26.2
Uhm .. no. Advisory sais:


Affected versions
<= 2.17.3, 2.18.2, 2.19.3, 2.20.2, 2.21.1, 2.22.2, 2.23.1, 2.24.1, 2.25.2, 2.26.0

Patched versions
2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1
Any code or patches in anything posted here is released under the CC and GPL licences in use for the FO project.

Look, ma... four combat bouts!

User avatar
Oberlus
Cosmic Dragon
Posts: 5714
Joined: Mon Apr 10, 2017 4:25 pm

Re: Everybody please update their git clients (SECURITY)

#9 Post by Oberlus »

Gah! You're right, Ophiuchus.

Ophiuchus
Programmer
Posts: 3433
Joined: Tue Sep 30, 2014 10:01 am
Location: Wall IV

Re: Everybody please update their git clients (SECURITY)

#10 Post by Ophiuchus »

Oberlus wrote: Wed Apr 22, 2020 11:01 am Gah! You're right, Ophiuchus.
Why did you even doubt me :lol: ?
Any code or patches in anything posted here is released under the CC and GPL licences in use for the FO project.

Look, ma... four combat bouts!

User avatar
Oberlus
Cosmic Dragon
Posts: 5714
Joined: Mon Apr 10, 2017 4:25 pm

Re: Everybody please update their git clients (SECURITY)

#11 Post by Oberlus »

Ophiuchus wrote: Wed Apr 22, 2020 11:04 am
Oberlus wrote: Wed Apr 22, 2020 11:01 am Gah! You're right, Ophiuchus.
Why did you even doubt me :lol: ?
Hahaha.
I didn't at start. But when I opened that Git's repo issue link I read the versions line as if it was just one (and so I thought that 2.26.1 was preceded by the initial <= for affected versions).

Post Reply