-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2023.1169
                          libgit2 security update
                             24 February 2023

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libgit2
Publisher:         Debian
Operating System:  Debian GNU/Linux
Resolution:        Patch/Upgrade
CVE Names:         CVE-2023-22742 CVE-2020-12279 CVE-2020-12278

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2023/02/msg00034.html

Comment: CVSS (Max):  9.8 CVE-2020-12279 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
         CVSS Source: NVD
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3340-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                         Tobias Frost
February 23, 2023                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : libgit2
Version        : 0.27.7+dfsg.1-0.2+deb10u1
CVE ID         : CVE-2020-12278 CVE-2020-12279 CVE-2023-22742
Debian Bug     : 1029368

A vulnerability have been found in libgit2, a cross-platform, linkable
library implementation of Git, which may result in remote code execution
when cloning a repository on a NTFS-like filesystem or man-in-the-middle
attacks due to improper verification of cryptographic Signature.

CVE-2020-12278

    An issue was discovered in libgit2 before 0.28.4 and 0.9x before
    0.99.0.  path.c mishandles equivalent filenames that exist because of
    NTFS Alternate Data Streams. This may allow remote code execution when
    cloning a repository.

CVE-2020-12279

    An issue was discovered in libgit2 before 0.28.4 and 0.9x before
    0.99.0.  checkout.c mishandles equivalent filenames that exist because
    of NTFS short names. This may allow remote code execution when cloning a
    repository

CVE-2023-22742

    libgit2 is a cross-platform, linkable library implementation of Git.
    When using an SSH remote with the optional libssh2 backend, libgit2 does
    not perform certificate checking by default. Prior versions of libgit2
    require the caller to set the `certificate_check` field of libgit2's
    `git_remote_callbacks` structure - if a certificate check callback is
    not set, libgit2 does not perform any certificate checking. This means
    that by default - without configuring a certificate check callback,
    clients will not perform validation on the server SSH keys and may be
    subject to a man-in-the-middle attack.

For Debian 10 buster, these problems have been fixed in version
0.27.7+dfsg.1-0.2+deb10u1.

We recommend that you upgrade your libgit2 packages.

For the detailed security status of libgit2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libgit2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmP32N4ACgkQkWT6HRe9
XTbYlg//Y4BttpAlwBczw2UwwBX9Aotg28Rel+7xc0j32DEcF9ju2Sla8Qqv0hbd
RpCWDCDKCXhqwpKhGDqGE/r87bB6CUelNpmltdJhjErpU1u2f/dYTed6q1zKQH1p
7M8+aN6l0YxsUJu26rWsPufuyN1mQ5S1LFsn5dytF8sKm8STuIsT2gaLg3eIrLmD
8g7hKH0aShPxxzmXQ0xKLFftnCJX4GilP6itVizYDmMPlmnxzLWnzqYNuZgb9+tn
IkbtHO4AeLg78QkQ+Z4DQMYa3ufvCP0MJnXtBBiq5yt7ZvXtoYcjV+qAm4C8v9fi
hMDm58N+66hdSrNW9zHC7tsMLhq2JhVIsVOQbIPCvSskfR5PkwVd36uhg/AtLn7d
1jxumi+CmtegBxLYNBbDF81ncDagF1tr+GEASF23KN1fOAgLkSiELxAv6rwGcLtF
fMij5Rr3S9lscRfJ01QY6itBm9owfB61eQG3ouXxvrpiwMMmizLzA0Ks2C/YOKaU
ZeXN/vUSwh8gP1uPWWoJsKoVtMbL+bRNP9BuzZosO7+ALh8Suy1qtx5Arnx1IHH2
7DC7e9VKOYOe6vN1Qg8b+3AHTpK25MDQa+bmb9e18IYpQiR3CL7qLqYAFpi1RCjx
fh5xzP3argktvysBe9k8XtXa6Cx1UsT8yawd0in+HSJrHEKhyco=
=niQu
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBY/gswMkNZI30y1K9AQgWLQ/8Cuh+zswSqDbhnkkdt80g5maOwyYaX15H
iW/pXC4g91M+L87c0VJHCvzftznAykgdiXfxAXfe0+x96GdoQEavOEFQ2SUK9e7i
RO8s6NnCcNV/2yeH/pE9Vp/FOo4ZTdXGnJhkGW6vPdeRtUT6FiWKtrw2aO5hjHRD
hRVBTUdaQDEEpdjDnNigACEWIE9qhcHnz6eG00VtS9qX27hWx/v09Q/QKj4kwIe/
ItxDjJ9XWfnXIbwNvH4+O5nOPeiRINlAf4StTcCdiFBaHVZ4i3+cJzfVEGdMYHba
MhS3iMW0r4frQBuc3hTSqd1mqOi+Qci6SMBGSYvK5ha8RbdhnjZyv0ZKGXPe/zzO
q1oeKduDtNyIJXoyO6qvkzxZF9m4ib3Ddyu5gkfmdqXBEj9ZcfM2Qs+bM2iJqA6v
s3GGGM8JCpNqZGVLrRLRA2ENmkEhXeCVW6ubfIONvlZ/D/TQps1rJVYqIRqJWmnZ
lEsKs5MgnmK4E0PdzLi6Qx4sluQMkUNdpYHa7oo2iVo4IQPvGljMpmtG82XIEQw6
bVGaZbPkKOJZFv9JaDXfQtj4ZlYNomoJxXDUHoLCgwuqqhuoLVsZ35gYwX0d+zNv
kKpMi9K4BDeZDohQV2JNp34hmlusut1EWm2QpyZkH1xoM+/KPk6bRwXopuwaaXVC
c6raRp+Jnx0=
=kUZ4
-----END PGP SIGNATURE-----