Sakin gyaran gyare-gyare na tsarin sarrafa tushen rarraba Git 2.40.1, 2.39.3, 2.38.5, 2.37.7, 2.36.6, 2.35.8, 2.34.8, 2.33.8, 2.32.7, 2.31.8 da 2.30.9 suna da an buga .XNUMX, wanda ya gyara lahani biyar. Kuna iya bin sakin sabuntawar fakiti a cikin rabawa akan Debian, Ubuntu, RHEL, SUSE/openSUSE, Fedora, Arch, shafukan FreeBSD. A matsayin tsarin aiki don karewa daga raunin da ya faru, ana ba da shawarar ku guji gudanar da umarnin "git apply --reject" lokacin aiki tare da facin waje da ba a gwada su ba, kuma duba abubuwan da ke cikin $GIT_DIR/config kafin gudanar da "git submodule deinit", "git" config --rename-section" da "git config --remove-section" lokacin da ake hulɗa da ma'ajin da ba a amince da su ba.
Rashin lahani CVE-2023-29007 yana ba da damar maye gurbin saituna a cikin $ GIT_DIR / fayil ɗin daidaitawa, wanda za'a iya amfani dashi don aiwatar da lamba a cikin tsarin ta hanyar ƙayyade hanyoyi zuwa fayilolin aiwatarwa a cikin core.pager, core.editor da core.sshCommand umarnin. Rashin lahani yana faruwa ta hanyar kuskuren ma'ana saboda wanda za'a iya ɗaukar ƙimar daidaitawa mai tsayi a matsayin farkon sabon sashe lokacin sake suna ko share wani sashe daga fayil ɗin sanyi. A aikace, ana iya samun musanya dabi'u masu amfani ta hanyar tantance URLs masu tsayi masu tsayi waɗanda aka adana a cikin fayil ɗin $GIT_DIR/config yayin farawa. Ana iya fassara waɗannan URLs azaman sabbin saitunan yayin ƙoƙarin cire su ta hanyar "git submodule deinit".
Rashin lahani CVE-2023-25652 yana ba da damar sake rubuta abubuwan da ke cikin fayiloli a wajen bishiyar aiki lokacin da aka sarrafa faci na musamman ta hanyar "git apply --reject" umarni. Idan kayi ƙoƙarin aiwatar da faci mai ɓarna tare da umarnin "git apply" wanda ke ƙoƙarin rubutawa fayil ta hanyar haɗin alama, za a ƙi aikin. A cikin Git 2.39.1, an tsawaita kariyar magudin symlink don toshe facin da ke ƙirƙirar alamomi da ƙoƙarin yin rubutu ta hanyar su. Asalin raunin da ake la'akari shine Git bai yi la'akari da cewa mai amfani zai iya aiwatar da umarnin "git apply -reject" don rubuta sassan da aka ƙi na facin azaman fayiloli tare da tsawo na ".rej", kuma maharin zai iya. Yi amfani da wannan damar don rubuta abubuwan da ke ciki zuwa kundin adireshi na sabani, gwargwadon izini na yanzu.
Bugu da kari, an gyara lallabai guda uku waɗanda ke bayyana kawai akan dandamali na Windows: CVE-2023-29012 (bincika doskey.exe mai aiwatarwa a cikin kundin aiki na wurin ajiyar lokacin aiwatar da umarnin "Git CMD", wanda ke ba ku damar tsarawa). aiwatar da lambar ku akan tsarin mai amfani), CVE-2023 -25815 (buffer overflow yayin sarrafa fayilolin yanki na al'ada a cikin gettext) da CVE-2023-29011 (yiwuwar sauya fayil ɗin connect.exe lokacin aiki ta SOCKS5).
source: budenet.ru