Alerts This Week
Warning Icon 1 1,109
Alerts This Week
Warning Icon 1 1,109

Debian 11: DLA-4028-1 critical: git-lfs credentials exposure

debian lts
Calendar Grey January 22, 2025
Dist Debian Esm H88
Ubuntu CVE Notice UCN-4096-2 tackles significant vulnerabilities in npm package management, ensuring safe installations.
CVE-2024-53263 When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the `git-credential(1)` command

Summary

When Git LFS requests credentials from Git for a remote host, it
passes portions of the host's URL to the `git-credential(1)` command
without checking for embedded line-ending control characters, and then
sends any credentials it receives back from the Git credential helper
to the remote host. By inserting URL-encoded control characters such
as line feed (LF) or carriage return (CR) characters into the URL,
an attacker may be able to retrieve a user's Git credentials.

For Debian 11 bullseye, this problem has been fixed in version
2.13.2-1+deb11u1.

We recommend that you upgrade your git-lfs packages.

For the detailed security status of git-lfs please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/git-lfs

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Severity
critical
Lowest
Low
Medium
High
Critical

Package: git-lfs
Version: 2.13.2-1+deb11u1
CVE ID: CVE-2024-53263
Debian Bug: 1093048

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here