Bug 13262

Summary: [CVE 21] libgit2 1.4.2 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: VERIFIED FIXED QA Contact: ROSA Linux Bugs <bugs>
Severity: critical    
Priority: High CC: a.proklov, pastordidi, s.matveev, v.potapov, y.tumanov
Version: AllFlags: v.potapov: qa_verified+
y.tumanov: secteam_verified+
a.proklov: published+
Target Milestone: 2021.1 Fresh R12   
Hardware: All   
OS: Linux   
URL: CVE-2023-22742,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-05-03 13:57:20 MSK 
Please patch CVEs for package libgit2 version 1.4.2  
INFO (CVEs are): libgit2 1.4.2 cves found
CVE-2023-22742
Desc: libgit2 is a cross-platform, linkable library implementation of Git. When using an SSH remote with the optional libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of libgit2 require the caller to set the `certificate_check` field of libgit2's `git_remote_callbacks` structure - if a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default - without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a man-in-the-middle attack. Users are encouraged to upgrade to v1.4.5 or v1.5.1. Users unable to upgrade should ensure that all relevant certificates are manually checked.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-22742
Severity: MEDIUM
Comment 1 Svyatoslav Matveev 2023-05-24 11:08:37 MSK 
********** QA ADVISORY **********

CVE закрыто обновлением (рекомендовано обновиться).
Major не менялся,проверьте работу по ssh.

*** libgit2
**  1.4.2 -> 1.4.5

https://abf.io/build_lists/4443356
https://abf.io/build_lists/4443357
https://abf.io/build_lists/4443355
https://abf.io/build_lists/4443359
https://abf.io/build_lists/4443358
Comment 2 Dmitry Postnikov 2023-05-24 16:09:05 MSK 
***************************
The update sent to testings
Comment 3 Vladimir Potapov 2023-05-30 17:57:31 MSK 
libgit2-1.4.5-1
https://abf.io/build_lists/4443356
https://abf.io/build_lists/4443357
https://abf.io/build_lists/4443355
https://abf.io/build_lists/4443359
https://abf.io/build_lists/4443358
************************ Advisory ************************
1.4.2 -> 1.4.5
**********************************************************
QA Verified
Comment 4 Yury 2023-07-25 13:54:55 MSK 
Secteam Verified