openSUSE-SU-2025:0153-1

Описание

This update for git-lfs fixes the following issues:

Update to 3.6.1: (boo#1235876):

This release introduces a security fix for all platforms, which has been assigned CVE-2024-53263.

When requesting credentials from Git for a remote host, prior versions of Git LFS passed portions of the host's URL to the git-credential(1) command without checking for embedded line-ending control characters, and then sent any credentials received back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker might have been able to retrieve a user's Git credentials. Git LFS now prevents bare line feed (LF) characters from being included in the values sent to the git-credential(1) command, and also prevents bare carriage return (CR) characters from being included unless the credential.protectProtocol configuration option is set to a value equivalent to false.

• Bugs

  • Reject bare line-ending control characters in Git credential requests (@chrisd8088)

update to version 3.6.0:

• https://github.com/git-lfs/git-lfs/releases/tag/v3.6.0

update to 3.5.1:

• Build release assets with Go 1.21 #5668 (@bk2204)
• script/packagecloud: instantiate distro map properly #5662 (@bk2204)
• Install msgfmt on Windows in CI and release workflows #5666 (@chrisd8088)

update to version 3.4.1:

• https://github.com/git-lfs/git-lfs/releases/tag/v3.4.1