* CVE-2022-24975 @ 2022-06-01 20:55 Mark Esler 2022-06-01 21:12 ` CVE-2022-24975 Junio C Hamano 0 siblings, 1 reply; 4+ messages in thread From: Mark Esler @ 2022-06-01 20:55 UTC (permalink / raw) To: git Hello, Could the git developers state their position on CVE-2022-24975? Is it disputed or will it be addressed by upstream? As I read the documentation, --mirror is working as stated and MITRE should remove the CVE. Thank you, Mark Esler ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: CVE-2022-24975 2022-06-01 20:55 CVE-2022-24975 Mark Esler @ 2022-06-01 21:12 ` Junio C Hamano 2022-06-01 21:40 ` CVE-2022-24975 Mark Esler 2022-06-06 15:11 ` CVE-2022-24975 Dyer, Edwin 0 siblings, 2 replies; 4+ messages in thread From: Junio C Hamano @ 2022-06-01 21:12 UTC (permalink / raw) To: Mark Esler; +Cc: git Mark Esler <mark.esler@canonical.com> writes: > Hello, > > Could the git developers state their position on CVE-2022-24975? Is it > disputed or will it be addressed by upstream? > > As I read the documentation, --mirror is working as stated and MITRE > should remove the CVE. > > Thank you, > Mark Esler It took me a while to Google for "gitbleed" as I got tons of GI bleed but no Gitbleed, so a quick conclusion is there is no such credible thing called gitbleed ;-) Jokes aside (yes, I know about [*]). As you said, "A repository can have more than what branch heads and tags can reach, and the --mirror option is a way to copy all the things that are reachable from other refs. It is 100% working as intended." During the discussion about [*] on git-security@ mailing lsit, everybody said that it is dubious that CVE is warranted. I am not sure there is anything more for us to do. [Reference] * https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/ the author of which asked git-security@ list and after getting things explained, accepted that this is a "working as intended" functionality and promised to adjust the blog post entry not to imply that the entire repository can be copied. I do not know how much correction was actually made since then, though. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: CVE-2022-24975 2022-06-01 21:12 ` CVE-2022-24975 Junio C Hamano @ 2022-06-01 21:40 ` Mark Esler 2022-06-06 15:11 ` CVE-2022-24975 Dyer, Edwin 1 sibling, 0 replies; 4+ messages in thread From: Mark Esler @ 2022-06-01 21:40 UTC (permalink / raw) To: Junio C Hamano; +Cc: git Thanks Junio! ^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: CVE-2022-24975 2022-06-01 21:12 ` CVE-2022-24975 Junio C Hamano 2022-06-01 21:40 ` CVE-2022-24975 Mark Esler @ 2022-06-06 15:11 ` Dyer, Edwin 1 sibling, 0 replies; 4+ messages in thread From: Dyer, Edwin @ 2022-06-06 15:11 UTC (permalink / raw) To: Junio C Hamano, Mark Esler; +Cc: git@vger.kernel.org Greetings: If it helps, Qualys isn't flagging this CVE as we use Git in several versions. I checked our main Git box and nary a flag for it. Ed Dyer DevOps Engineer Malum Consilium Quod Mutari Non Potest -----Original Message----- From: Junio C Hamano <gitster@pobox.com> Sent: Wednesday, June 1, 2022 5:13 PM To: Mark Esler <mark.esler@canonical.com> Cc: git@vger.kernel.org Subject: Re: CVE-2022-24975 [EXTERNAL EMAIL] – Think Security! Mark Esler <mark.esler@canonical.com> writes: > Hello, > > Could the git developers state their position on CVE-2022-24975? Is it > disputed or will it be addressed by upstream? > > As I read the documentation, --mirror is working as stated and MITRE > should remove the CVE. > > Thank you, > Mark Esler It took me a while to Google for "gitbleed" as I got tons of GI bleed but no Gitbleed, so a quick conclusion is there is no such credible thing called gitbleed ;-) Jokes aside (yes, I know about [*]). As you said, "A repository can have more than what branch heads and tags can reach, and the --mirror option is a way to copy all the things that are reachable from other refs. It is 100% working as intended." During the discussion about [*] on git-security@ mailing lsit, everybody said that it is dubious that CVE is warranted. I am not sure there is anything more for us to do. [Reference] * https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/ the author of which asked git-security@ list and after getting things explained, accepted that this is a "working as intended" functionality and promised to adjust the blog post entry not to imply that the entire repository can be copied. I do not know how much correction was actually made since then, though. ______________________________________________________________________ The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer. ______________________________________________________________________ ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-06-06 15:11 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2022-06-01 20:55 CVE-2022-24975 Mark Esler 2022-06-01 21:12 ` CVE-2022-24975 Junio C Hamano 2022-06-01 21:40 ` CVE-2022-24975 Mark Esler 2022-06-06 15:11 ` CVE-2022-24975 Dyer, Edwin
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.