[Bug 2003204] Re: Update git because of CVE-2022-23521
Eliah Kagan
2003204 at bugs.launchpad.net
Sat Jun 1 22:34:49 UTC 2024
As shown at https://ubuntu.com/security/CVE-2022-23521, Canonical *did*
provide a fix for this, including for the three versions of Ubuntu
mentioned here (18.04 bionic, 20.04 focal, 22.04 jammy). That Ubuntu
Security Notice was published a day before this bug report was opened,
and unless I'm missing something, it looks like this bug report was
based on a misconception about how security patches and their associated
versioning works.
Most security patches in Debian, Ubuntu, and most (though not all)
distros are are provided as patched versions that add only the fix for
the security vulnerability, without new feature changes. In Ubuntu, this
relates to https://wiki.ubuntu.com/StableReleaseUpdates. That is what
https://bugs.launchpad.net/ubuntu/+source/git/+bug/2003204/comments/1
above is referring to. The fixed packages' version numbers did not match
the expectation expressed in the bug description here, but they did fix
the bug.
Of course, it can still be valuable to use ppa:git-core/ppa if one wants
the *features* of a new git version, such as performance, additional
options, more user-friendly messages, and so forth. But getting fixes
for security vulnerabilities does not generally require this, and did
not require it in the case of CVE-2022-23521.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to git in Ubuntu.
https://bugs.launchpad.net/bugs/2003204
Title:
Update git because of CVE-2022-23521
Status in git package in Ubuntu:
Confirmed
Bug description:
Please provide the latest git for Ubuntu LTS (18, 20 and 22)
The current version appears to be 2.39.1. The versions available from
apt seem to be pretty old. We still have some systems with Ubuntu 18
LTS, and I see 2.17.1 there after running sudo apt update && sudo apt
upgrade -y
See also:
https://github.com/git/git/security/advisories/GHSA-c738-c5qq-xg89
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/git/+bug/2003204/+subscriptions
More information about the foundations-bugs
mailing list