Kutulutsa koyenera kwa makina owongolera omwe amagawidwa Git 2.40.1, 2.39.3, 2.38.5, 2.37.7, 2.36.6, 2.35.8, 2.34.8, 2.33.8, 2.32.7, 2.31.8 ndi 2.30.9 yasindikizidwa .XNUMX, yomwe inakonza zofooka zisanu. Mutha kutsatira kutulutsidwa kwa zosintha zamaphukusi pamagawidwe pamasamba a Debian, Ubuntu, RHEL, SUSE/openSUSE, Fedora, Arch, FreeBSD. Monga njira yodzitetezera ku chiwopsezo, tikulimbikitsidwa kupewa kugwiritsa ntchito lamulo la "git apply --reject" mukamagwira ntchito ndi zigamba zakunja zosayesedwa ndikuwona zomwe zili mu $GIT_DIR/config musanayambe "git submodule deinit", "git config. --rename-section" ndi "git config --remove-section" pochita ndi nkhokwe zosadalirika.
Vulnerability CVE-2023-29007 imalola kulowetsa makonda mu $GIT_DIR/config configuration file, yomwe ingagwiritsidwe ntchito kuyika kachidindo mu dongosolo mwa kufotokoza njira za mafayilo omwe angathe kuchitidwa mu core.pager, core.editor ndi core.sshCommand malangizo. Chiwopsezocho chimayamba chifukwa cha zolakwika zomveka chifukwa chomwe makonzedwe aatali kwambiri amatha kuwonedwa ngati chiyambi cha gawo latsopano posinthanso kapena kuchotsa gawo pafayilo yosinthira. M'malo mwake, m'malo mwa zinthu zankhanza zitha kukwaniritsidwa pofotokoza ma URL aatali kwambiri omwe amasungidwa mu $GIT_DIR/config file pakuyambitsa. Ma URL awa amatha kutanthauziridwa ngati zosintha zatsopano poyesa kuwachotsa kudzera pa "git submodule deinit".
Vulnerability CVE-2023-25652 imalola kulemba zomwe zili m'mafayilo kunja kwa mtengo wogwira ntchito pomwe zigamba zopangidwa mwapadera zimakonzedwa ndi lamulo la "git apply --reject". Ngati muyesa kupanga chigamba choyipa ndi lamulo la "git apply" lomwe limayesa kulembera fayilo kudzera pa ulalo wophiphiritsa, ntchitoyi ikanidwa. Mu Git 2.39.1, chitetezo chowongolera ma symlink chawonjezedwa kuti atseke zigamba zomwe zimapanga ma symlink ndikuyesera kulemba kudzera mwa iwo. Zomwe zili pachiwopsezo zomwe zikuganiziridwa ndikuti Git sanaganizire kuti wogwiritsa ntchito atha kupereka lamulo la "git apply -reject" kuti alembe mbali zokanidwa za chigambacho ngati mafayilo okhala ndi ".rej", ndipo wowukirayo atha. gwiritsani ntchito mwayiwu kulemba zomwe zili mu bukhu losavomerezeka, momwe zilolezo zapano zikuloleza.
Kuphatikiza apo, ziwopsezo zitatu zomwe zimawonekera papulatifomu ya Windows zokha zakhazikitsidwa: CVE-2023-29012 (sakani doskey.exe mu bukhu logwira ntchito la malo osungiramo zinthu mukamachita lamulo la "Git CMD", lomwe limakupatsani mwayi wokonzekera. kachitidwe ka code yanu pamakina a wogwiritsa ntchito), CVE-2023 -25815 (buffer kusefukira pamene mukukonza mafayilo okhazikika mu gettext) ndi CVE-2023-29011 (kuthekera kolowa m'malo mwa fayilo ya connect.exe mukamagwira ntchito kudzera pa SOCKS5).
Source: opennet.ru