associated with the release of git 2.38.1 and the back port of the associated patch
to v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, and v2.37.4.
https://<email address hidden>/
From the Github blog:
"This vulnerability can be used to break security boundaries, by injecting sensitive content into a malicious Docker container, for example. This attack relies on the existence of a symbolic link inside of a repository’s $GIT_DIR/objects directory, meaning that you must either clone a malicious repository locally, or clone a malicious repository packaged as a local submodule inside of another repository."
From the description, this looks like fallout from CVE-2022-39253
https:/ /github. blog/2022- 10-18-git- security- vulnerabilities -announced/ #cve-2022- 39253
associated with the release of git 2.38.1 and the back port of the associated patch
to v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, and v2.37.4.
https://<email address hidden>/
From the Github blog:
"This vulnerability can be used to break security boundaries, by injecting sensitive content into a malicious Docker container, for example. This attack relies on the existence of a symbolic link inside of a repository’s $GIT_DIR/objects directory, meaning that you must either clone a malicious repository locally, or clone a malicious repository packaged as a local submodule inside of another repository."
Thanks to jpetazzo for the alert at
https:/ /twitter. com/jpetazzo/ status/ 158311227901225 7797