From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id yDNsKRuoXWIRPQEAbAwnHQ (envelope-from ) for ; Mon, 18 Apr 2022 20:04:11 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id MNVxKRuoXWKegAAAauVa8A (envelope-from ) for ; Mon, 18 Apr 2022 20:04:11 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 36B9447E70 for ; Mon, 18 Apr 2022 20:04:11 +0200 (CEST) Received: from localhost ([::1]:49580 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ngVjN-0007y6-Q1 for larch@yhetil.org; Mon, 18 Apr 2022 14:04:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55332) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ngVjG-0007xh-9i for guix-patches@gnu.org; Mon, 18 Apr 2022 14:04:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:46760) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ngVjF-0001co-WC for guix-patches@gnu.org; Mon, 18 Apr 2022 14:04:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ngVjF-00064g-SC for guix-patches@gnu.org; Mon, 18 Apr 2022 14:04:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#55001] [PATCH] gnu: git: Update to 2.35.2 [fixes CVE-2022-24765]. Resent-From: Maxime Devos Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 18 Apr 2022 18:04:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 55001 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Zhu Zihao , Greg Hogan Cc: 55001@debbugs.gnu.org Received: via spool by 55001-submit@debbugs.gnu.org id=B55001.165030500623302 (code B ref 55001); Mon, 18 Apr 2022 18:04:01 +0000 Received: (at 55001) by debbugs.gnu.org; 18 Apr 2022 18:03:26 +0000 Received: from localhost ([127.0.0.1]:40657 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ngVig-00063l-2F for submit@debbugs.gnu.org; Mon, 18 Apr 2022 14:03:26 -0400 Received: from baptiste.telenet-ops.be ([195.130.132.51]:33598) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ngVid-00063Y-FB for 55001@debbugs.gnu.org; Mon, 18 Apr 2022 14:03:24 -0400 Received: from ptr-bvsjgyhxw7psv60dyze.18120a2.ip6.access.telenet.be ([IPv6:2a02:1811:8c09:9d00:3c5f:2eff:feb0:ba5a]) by baptiste.telenet-ops.be with bizsmtp id LJ3M2700R4UW6Th01J3MPB; Mon, 18 Apr 2022 20:03:21 +0200 Message-ID: From: Maxime Devos Date: Mon, 18 Apr 2022 20:03:16 +0200 In-Reply-To: <86mtgi8jjd.fsf@163.com> References: <8635iabj7y.fsf@163.com> <86mtgi8jjd.fsf@163.com> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-z7lP8pj9EtX0E2LAhFjc" User-Agent: Evolution 3.38.3-1 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22; t=1650305002; bh=6SbEjYS6m/h17DSH2BS2eeEqIePXpXoV4ZvYav9jhMQ=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=HsSXXMwUrsuHauGhegYDr7P0v8bE6W6aOrE5gcVseRfwpfWu6HBSKF0N8hE9aSrqh +rmmT1xaNSWp4yiLVVXnvyFjnRjN10Pvh71D+Tqzg+eImoRvbGnwFqRXL02YbtEAM6 sxPrgvnjbwgDtMRKEHRwT46kigSfBsEyStfPX+oY2OLj/qPyKI3DIZjDp6O65QUBCV p/c/iGwpbYJY5Ti1kdf0BWp5hibsvq0Fq7X867MMQLs7EJnVRQ+XsDZWwSY3K3Gmqz noWwdjiP7xqBfVpZIpGayYsnoJUbxYvwHbQb2cQL4Sp8AwUD06Qp/tFOAL+ZoXrWr+ vIaSlKr/5D3uA== X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1650305051; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=6SbEjYS6m/h17DSH2BS2eeEqIePXpXoV4ZvYav9jhMQ=; b=gwWj1Sg6czDiOAnFw5X7RMO38ZZLMS7oHPkliMuFLPhqlgSNKvby804LEvts8j2DXaAVpE oF/Tn3cKYtvC3Soe6hbIxlrJtWfIjef6F1/TcwX1ZwvIsQOAkWM+kQL7FaUxrS3iCRjtNy xzllRa+1onN8fpCvRJosjX3yfIdchIL5QKlOaIgoj2Lo6v9RdEpQXRywFv6dxVTO6VsW3d r+vs6jRS1NJOLhdYWs4MDZ0CUvcof9O9GXBqhD/dHLSBNlAON7CZhd15pes5A3kEe9XphQ Nm9Zj1j6e+yEXawd1TWW1CDqPJRcw5srtfqUrPpBuDiPPZp6SNSZpZaMSFArfA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1650305051; a=rsa-sha256; cv=none; b=ZnHEWhKe2Zw0tu2GQm6LsjAeQl9bZJzf8LgG1KpNCNX0ZkTo71CyNF/47jhKge+AdPXp8f 4WWncFKegYI1v3PF2q+mSKk8qtvzDzyjOWNMJMB/CLGIE2hj0Xoz+pGZRmb6XPNxKgYbp+ WBDcTVF1nthaXLCTWPDBtYZSSC8YDGrjzMYeW1ckUxDhx7+97ATVvK8Z2rU5GJD/H2iLfx dnrb8joeGbzL/ZZDWPqX16KX5/R4WYFD2QMrWoAsAaa5N/nVEG/QCZjFsvhcKz/bO0RfQK yHRjaXN2ZU0UzrwxBQU4ZRijF0XvTy4T6TTJZJsY7pC9dWiENyhphYi1nq0Ogw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=telenet.be header.s=r22 header.b=HsSXXMwU; dmarc=fail reason="SPF not aligned (relaxed)" header.from=telenet.be (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 1.96 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=telenet.be header.s=r22 header.b=HsSXXMwU; dmarc=fail reason="SPF not aligned (relaxed)" header.from=telenet.be (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 36B9447E70 X-Spam-Score: 1.96 X-Migadu-Scanner: scn0.migadu.com X-TUID: Yf4FoPe5MqWT --=-z7lP8pj9EtX0E2LAhFjc Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Zhu Zihao schreef op di 19-04-2022 om 00:02 [+0800]: >=20 > Hi. >=20 > https://www.phoronix.com/scan.php?page=3Dnews_item&px=3DGit-CVE-2022-2476= 5 >=20 > This article says "likely due to only affect Microsoft Windows". I > haven't test this CVE on *nix systems. >=20 > If it doesn't affect Guix systems, should I remove "[fixes > CVE-2022-24765]" in the git commit message or leave it there? According to and its comments, it affects =E2=80=98multi-user (*) Linux (**) systems=E2=80=99 as= well, if someone has their git repo inside /tmp. (Does anyone actually do that?) (*) I would think this includes otherwise single-user systems with a compromised daemon as well? =20 (**) Presumably also GNU/Hurd and the BSDs. Greetings, Maxime. --=-z7lP8pj9EtX0E2LAhFjc Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYl2n5BccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7s75AQDnxZ82KMzNYzQClcJoguVXfZc/ SBK/yAT1DXZ6b1Y4RwD8Ck/LjCmGZbFsICdDnnY96Rf+qZJ42mUYA3VaN7DU1gY= =mVPA -----END PGP SIGNATURE----- --=-z7lP8pj9EtX0E2LAhFjc--