Per the upstream release announcement¹, this release fixes "various security flaws, which allowed an attacker to overwrite arbitrary paths, remotely execute code, and/or overwrite files in the .git/ directory etc. See the release notes attached for the list for their descriptions and CVE identifiers."
Refer to the 2.14.6 release notes² for details on these vulnerabilities and the 2.24.0 release notes³ for details on other improvements and fixes since 2.23.0.
¹ https://lore.kernel.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/
² https://www.kernel.org/pub/software/scm/git/docs/RelNotes/2.14.6.txt
³ https://www.kernel.org/pub/software/scm/git/docs/RelNotes/2.24.0.txt
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
sudo dnf upgrade --refresh --advisory=FEDORA-2019-c841bcc3b9Please login to add feedback.
This update has been submitted for testing by tmz.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'ignored'.
This update has been pushed to testing.
tmz edited this update.
tmz edited this update.
LGTM some basic tests.
This update can be pushed to stable now if the maintainer wishes
WFM on x86_64.
WFM on x86_64.
WFM on x86_64.
WFM.
WFM.
Works
This is a pretty important security update - any reason not to push the button to ship it?
Yes. It's a bump from 2.23.0 to 2.24.1 (which was in the works before these issues arose). While 5 of the 9 issues fixed here are rated as high severity (per https://github.com/git/git/security/advisories), only one of those 5 has the potential to affect Linux users -- and even then only where git is cloning to an NTFS networked drive with short names enabled.
So the risk to Fedora users is considerably lower than it is to Windows git users. (The severity is set to high per the security team's initial bug assessments, but I suspect that after more thorough review that might be lowered -- but the Fedora updates should all be pushed to stable before then.)
Thus I feel comfortable letting this spend a few more days in testing to ensure we don't run into any issues in the 2.23.0 -> 2.24.1 bump. I really don't expect any thanks to the care which upstream takes to avoid regressions, but I'd rather not cause anyone trouble which can be avoided by a little more testing.
Thanks for the poke in any case. I appreciate the nudge to ensure this wasn't an unintentional delay!
Yes. It's a bump from 2.23.0 to 2.24.1 (which was in the works before these issues arose). While 5 of the 9 issues fixed here are rated as high severity (per https://github.com/git/git/security/advisories), only one of those 5 has the potential to affect Linux users -- and even then only where git is cloning to an NTFS networked drive with short names enabled.
So the risk to Fedora users is considerably lower than it is to Windows git users. (The severity is set to high per the security team's initial bug assessments, but I suspect that after more thorough review that might be lowered -- but the Fedora updates should all be pushed to stable before then.)
Thus I feel comfortable letting this spend a few more days in testing to ensure we don't run into any issues in the 2.23.0 -> 2.24.1 bump. I really don't expect any thanks to the care which upstream takes to avoid regressions, but I'd rather not cause anyone trouble which can be avoided by a little more testing.
Thanks for the poke in any case. I appreciate the nudge to ensure this wasn't an unintentional delay!
+1
This update has been submitted for stable by tmz.
This update has been pushed to stable.