Comment 2 for bug 1993586
Revision history for this message
| Edward Vielmetti (edward-vielmetti) wrote | #2 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
e3ace39
(Get the code!)
From the description, this looks like fallout from CVE-2022-39253
https:/
associated with the release of git 2.38.1 and the back port of the associated patch
to v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, and v2.37.4.
https://<email address hidden>/
From the Github blog:
"This vulnerability can be used to break security boundaries, by injecting sensitive content into a malicious Docker container, for example. This attack relies on the existence of a symbolic link inside of a repository’s $GIT_DIR/objects directory, meaning that you must either clone a malicious repository locally, or clone a malicious repository packaged as a local submodule inside of another repository."
Thanks to jpetazzo for the alert at
https:/