RLSA-2022:7129

Source
https://errata.rockylinux.org/RLSA-2022:7129
Import Source
https://storage.googleapis.com/resf-osv-data/RLSA-2022:7129.json
JSON Data
https://api.osv.dev/v1/vulns/RLSA-2022:7129
Related
Published
2022-10-25T07:32:51Z
Modified
2023-02-02T13:48:29.858419Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Moderate: git-lfs security and bug fix update
Details

Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.

Security Fix(es):

  • golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension (CVE-2020-28851)

  • golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag (CVE-2020-28852)

  • golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)

  • golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)

  • golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)

  • golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)

  • golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)

  • golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)

  • golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

  • git-lfs needs to be rebuild with golang 1.17.7-1 or above
References
Credits
    • Rocky Enterprise Software Foundation
    • Red Hat

Affected packages

Rocky Linux:8 / git-lfs

Package

Name
git-lfs
Purl
pkg:rpm/rocky-linux/git-lfs?distro=rocky-linux-8&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:2.13.3-3.el8_6