Update git because of CVE-2022-23521

Bug #2003204 reported by Jan Bauer
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
git (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Please provide the latest git for Ubuntu LTS (18, 20 and 22)

The current version appears to be 2.39.1. The versions available from apt seem to be pretty old. We still have some systems with Ubuntu 18 LTS, and I see 2.17.1 there after running sudo apt update && sudo apt upgrade -y

See also: https://github.com/git/git/security/advisories/GHSA-c738-c5qq-xg89

CVE References

Revision history for this message
Bernard Stafford (bernard010) wrote (last edit ):
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in git (Ubuntu):
status: New → Confirmed
Revision history for this message
Jan Bauer (jankbauer) wrote :

It appears that Canonical does not want to provide a fixed version.

So I decided to change the git source repo, and get a fresh git with:

sudo add-apt-repository ppa:git-core/ppa
sudo apt update
sudo apt install git -y

now check the version with: git --version

and it has 2.39.2, works on Ubuntu 18.04 without issues.

Conclusion: there is no reason to stick at the old git 2.17.1 on that distro.

Revision history for this message
Eliah Kagan (degeneracypressure) wrote (last edit ):

As shown at https://ubuntu.com/security/CVE-2022-23521, Canonical *did* provide a fix for this, including for the three versions of Ubuntu mentioned here (18.04 bionic, 20.04 focal, 22.04 jammy). That Ubuntu Security Notice was published a day before this bug report was opened, and unless I'm missing something, it looks like this bug report was based on a misconception about how security patches and their associated versioning works.

Most security patches in Debian, Ubuntu, and most (though not all) distros are are provided as patched versions that add only the fix for the security vulnerability, without new feature changes. In Ubuntu, this relates to https://wiki.ubuntu.com/StableReleaseUpdates. That is what https://bugs.launchpad.net/ubuntu/+source/git/+bug/2003204/comments/1 above is referring to. The fixed packages' version numbers did not match the expectation expressed in the bug description here, but they did fix the bug.

Of course, it can still be valuable to use ppa:git-core/ppa if one wants the *features* of a new git version, such as performance, additional options, more user-friendly messages, and so forth. But getting fixes for security vulnerabilities does not generally require this, and did not require it in the case of CVE-2022-23521.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.