Updated libgit2 packages fix security vulnerabilities
Publication date: 14 Mar 2024Modification date: 14 Mar 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-22742 , CVE-2024-24577
Description
When using an SSH remote with the optional libssh2 backend, libgit2 does
not perform certificate checking by default. (CVE-2023-22742)
Using well-crafted inputs to `git_index_add` can cause heap corruption
that could be leveraged for arbitrary code execution. (CVE-2024-24577)
References
- https://bugs.mageia.org/show_bug.cgi?id=30633
- https://www.debian.org/lts/security/2023/dla-3340
- https://github.com/libgit2/libgit2/security/advisories/GHSA-8643-3wh5-rmjq
- https://lists.suse.com/pipermail/sle-security-updates/2023-March/014158.html
- https://lists.debian.org/debian-lts-announce/2024/02/msg00012.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22742
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24577
SRPMS
9/core
- libgit2-1.3.2-1.1.mga9