<html>

    <head>

      <base href="https://bugzilla.rosalinux.ru/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Platform</th>

          <td>2021.1

          </td>

        </tr>

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_CONFIRMED "

   title="CONFIRMED - [CVE 21] libgit2 1.4.2 CVEs found"

   href="https://bugzilla.rosalinux.ru/show_bug.cgi?id=13262">13262</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>[CVE 21] libgit2 1.4.2 CVEs found

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>ROSA-based products

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>ROSA Fresh

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>URL</th>

          <td>CVE-2023-22742,

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>CONFIRMED

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>System (kernel, glibc, systemd, bash, PAM...)

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>bugs&#64;lists.rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>y.tumanov&#64;rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>QA Contact</th>

          <td>bugs&#64;lists.rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>s.matveev&#64;rosalinux.ru, y.tumanov&#64;rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>Target Milestone</th>

          <td>---

          </td>

        </tr>

        <tr>

          <th>Flags</th>

          <td>secteam_verified?

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Please patch CVEs for package libgit2 version 1.4.2  

INFO (CVEs are): libgit2 1.4.2 cves found

CVE-2023-22742

Desc: libgit2 is a cross-platform, linkable library implementation of Git. When

using an SSH remote with the optional libssh2 backend, libgit2 does not perform

certificate checking by default. Prior versions of libgit2 require the caller

to set the `certificate_check` field of libgit2's `git_remote_callbacks`

structure - if a certificate check callback is not set, libgit2 does not

perform any certificate checking. This means that by default - without

configuring a certificate check callback, clients will not perform validation

on the server SSH keys and may be subject to a man-in-the-middle attack. Users

are encouraged to upgrade to v1.4.5 or v1.5.1. Users unable to upgrade should

ensure that all relevant certificates are manually checked.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-22742">https://nvd.nist.gov/vuln/detail/CVE-2023-22742</a>

Severity: MEDIUM</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the QA Contact for the bug.</li>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>