[Bugs] [Bug 13262] New: [CVE 21] libgit2 1.4.2 CVEs found

[bugzilla]

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13262

          Platform: 2021.1
            Bug ID: 13262
           Summary: [CVE 21] libgit2 1.4.2 CVEs found
    Classification: ROSA-based products
           Product: ROSA Fresh
           Version: All
          Hardware: All
               URL: CVE-2023-22742,
                OS: Linux
            Status: CONFIRMED
          Severity: normal
          Priority: Normal
         Component: System (kernel, glibc, systemd, bash, PAM...)
          Assignee: bugs на lists.rosalinux.ru
          Reporter: y.tumanov на rosalinux.ru
        QA Contact: bugs на lists.rosalinux.ru
                CC: s.matveev на rosalinux.ru, y.tumanov на rosalinux.ru
  Target Milestone: ---
             Flags: secteam_verified?

Please patch CVEs for package libgit2 version 1.4.2  
INFO (CVEs are): libgit2 1.4.2 cves found
CVE-2023-22742
Desc: libgit2 is a cross-platform, linkable library implementation of Git. When
using an SSH remote with the optional libssh2 backend, libgit2 does not perform
certificate checking by default. Prior versions of libgit2 require the caller
to set the `certificate_check` field of libgit2's `git_remote_callbacks`
structure - if a certificate check callback is not set, libgit2 does not
perform any certificate checking. This means that by default - without
configuring a certificate check callback, clients will not perform validation
on the server SSH keys and may be subject to a man-in-the-middle attack. Users
are encouraged to upgrade to v1.4.5 or v1.5.1. Users unable to upgrade should
ensure that all relevant certificates are manually checked.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-22742
Severity: MEDIUM

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230503/f44dbcd2/attachment.html>