[RLSA-2024:3346] git-lfs security update

Severity Important

Affected Packages 2

CVEs 4

An update is available for git-lfs. This update affects Rocky Linux 8. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list

Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.

Security Fix(es):

golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS (CVE-2023-45288)
golang: net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect (CVE-2023-45289)
golang: net/http: memory exhaustion in Request.ParseMultipartForm (CVE-2023-45290)
golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm (CVE-2024-24783)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Package	Affected Version
pkg:rpm/rockylinux/git-lfs?arch=x86_64&distro=rockylinux-8.10	< 3.4.1-2.el8_10
pkg:rpm/rockylinux/git-lfs?arch=aarch64&distro=rockylinux-8.10	< 3.4.1-2.el8_10

ID

RLSA-2024:3346

Severity

important

URL

https://errata.rockylinux.org/RLSA-2024:3346

Published

2024-06-14T13:59:30
(3 months ago)

Modified

2024-06-14T14:02:39
(3 months ago)

Rights

Other Advisories

Source	# ID	URL
CVE	CVE-2023-45288	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45288
CVE	CVE-2023-45289	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45289
CVE	CVE-2023-45290	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45290
CVE	CVE-2024-24783	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24783
Bugzilla	2268017	https://bugzilla.redhat.com/show_bug.cgi?id=2268017
Bugzilla	2268018	https://bugzilla.redhat.com/show_bug.cgi?id=2268018
Bugzilla	2268019	https://bugzilla.redhat.com/show_bug.cgi?id=2268019
Bugzilla	2268273	https://bugzilla.redhat.com/show_bug.cgi?id=2268273
Self	RLSA-2024:3346	https://errata.rockylinux.org/RLSA-2024:3346

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:rpm/rockylinux/git-lfs?arch=x86_64&distro=rockylinux-8.10	rockylinux	git-lfs	< 3.4.1-2.el8_10	rockylinux-8.10	x86_64
Affected	pkg:rpm/rockylinux/git-lfs?arch=aarch64&distro=rockylinux-8.10	rockylinux	git-lfs	< 3.4.1-2.el8_10	rockylinux-8.10	aarch64

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date