Kururamisa kuburitswa kweGit 2.40.1, 2.39.3, 2.38.5, 2.37.7, 2.36.6, 2.35.8, 2.34.8, 2.33.8, 2.32.7, 2.31.8 uye 2.30.9 kwakabudiswa. , iyo yakagadzirisa kusakwana kushanu. Iwe unogona kutevera kuburitswa kwepakeji zvigadziriso mukugovera paDebian, Ubuntu, RHEL, SUSE/openSUSE, Fedora, Arch, FreeBSD mapeji. Sechishandiso chekudzivirira kubva panjodzi, zvinokurudzirwa kudzivirira kumhanyisa "git apply --reject" kuraira paunenge uchishanda neasina kuedzwa zvigamba zvekunze, uye tarisa zviri mukati $GIT_DIR/config usati wamhanyisa "git submodule deinit", "git". config --rename-section" uye "git config --remove-section" kana uchibata neasina kuvimbika repositori.
Vulnerability CVE-2023-29007 inobvumira kutsiviwa kwezvirongwa mu $GIT_DIR/config configuration file, iyo inogona kushandiswa kuita kodhi muhurongwa nekutsanangura nzira dzemafaira eexecutable mu core.pager, core.editor uye core.sshCommand mirairo. Kusagadzikana kunokonzerwa nekukanganisa kunonzwisisika nekuda kweiyo yakareba kwazvo yekumisikidza kukosha inogona kubatwa sekutanga kwechikamu chitsva pakupa zita kana kudzima chikamu kubva mufaira rekugadzirisa. Mukuita, kutsiviwa kwehunhu hwehudzvanyiriri hunogona kuwanikwa nekududza ma URL akareba kwazvo anochengetwa ku $GIT_DIR/config faira panguva yekutanga. Aya ma URL anogona kududzirwa sezvirongwa zvitsva paunenge uchiedza kuvabvisa kuburikidza ne "git submodule deinit".
Vulnerability CVE-2023-25652 inobvumira kunyora pasi zviri mukati memafaira kunze kwemuti unoshanda kana mapeche akagadzirwa akagadziriswa ne "git apply --reject" murairo. Kana iwe ukayedza kuita chigamba chine hutsinye ne "git apply" murairo unoyedza kunyora kufaira kuburikidza nechiratidzo chekubatanidza, kushanda kunorambwa. MuGit 2.39.1, symlink manipulation dziviriro yakawedzerwa kuti ivhare zvigamba zvinogadzira symlink uye kuedza kunyora kuburikidza nazvo. Izvo zvakakosha zvekusagadzikana kuri kutariswa ndezvekuti Git haana kufunga kuti mushandisi anogona kuita "git apply -reject" murairo wekunyora zvikamu zvakarambwa zvechigamba semafaira ane ".rej" kuwedzera, uye anorwisa anogona shandisa mukana uyu kunyora zvirimo kune dhairekitori risingawirirani, kusvika pazvinobvumidzwa nemvumo.
Uye zvakare, kusakwana kutatu kunoonekwa chete paWindows papuratifomu kwakagadziriswa: CVE-2023-29012 (tsvaga iyo inogoneka doskey.exe mudhairekitori rekushanda renzvimbo kana uchiita iyo "Git CMD" yekuraira, iyo inokutendera iwe kuronga. kuitwa kwekodhi yako pane yemushandisi sisitimu), CVE-2023 -25815 (buffer inofashukira paunenge uchigadzira mafaera emagariro enzvimbo mune gettext) uye CVE-2023-29011 (mukana wekutsiva iyo connect.exe faira paunenge uchishanda kuburikidza neSOCKS5).
Source: opennet.ru