openSUSE-SU-2025:0153-1
See a problem?- Import Source
- https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2025:0153-1.json
- JSON Data
- https://api.osv.dev/v1/vulns/openSUSE-SU-2025:0153-1
- Related
- Published
- 2025-05-12T16:01:51Z
- Modified
- 2025-05-13T14:14:04.651198Z
- Upstream
- Summary
- Security update for git-lfs
- Details
-
This update for git-lfs fixes the following issues:
Update to 3.6.1: (boo#1235876):
This release introduces a security fix for all platforms, which has been assigned CVE-2024-53263.
When requesting credentials from Git for a remote host, prior versions of Git LFS passed portions of the host's URL to the git-credential(1) command without checking for embedded line-ending control characters, and then sent any credentials received back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker might have been able to retrieve a user's Git credentials. Git LFS now prevents bare line feed (LF) characters from being included in the values sent to the git-credential(1) command, and also prevents bare carriage return (CR) characters from being included unless the credential.protectProtocol configuration option is set to a value equivalent to false.
Bugs
- Reject bare line-ending control characters in Git credential requests (@chrisd8088)
update to version 3.6.0:
- https://github.com/git-lfs/git-lfs/releases/tag/v3.6.0
update to 3.5.1:
- Build release assets with Go 1.21 #5668 (@bk2204)
- script/packagecloud: instantiate distro map properly #5662 (@bk2204)
- Install msgfmt on Windows in CI and release workflows #5666 (@chrisd8088)
update to version 3.4.1:
- https://github.com/git-lfs/git-lfs/releases/tag/v3.4.1
- References
Affected packages
SUSE:Package Hub 15 SP6 / git-lfs
Package
- Name
- git-lfs
- Purl
- pkg:rpm/suse/git-lfs&distro=SUSE%20Package%20Hub%2015%20SP6