An update for git is now available for openEuler-20.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2021-1210 Final 1.0 1.0 2021-06-07 Initial 2021-06-07 2021-06-07 openEuler SA Tool V1.0 2021-06-07 git security update An update for git is now available for openEuler-20.03-LTS-SP1. Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency. Git is easy to learn and has a tiny footprint with lightning fast performance. It outclasses SCM tools like Subversion, CVS, Perforce, and ClearCase with features like cheap local branching, convenient staging areas, and multiple workflows. Security Fix(es): Cygwin Git is a patch set for the git command line tool for the cygwin environment. A specially crafted repository that contains symbolic links as well as files with backslash characters in the file name may cause just-checked out code to be executed while checking out a repository using Git on Cygwin. The problem will be patched in the Cygwin Git v2.31.1-2 release. At time of writing, the vulnerability is present in the upstream Git source code; any Cygwin user who compiles Git for themselves from upstream sources should manually apply a patch to mitigate the vulnerability. As mitigation users should not clone or pull from repositories from untrusted sources. CVE-2019-1354 was an equivalent vulnerability in Git for Visual Studio.(CVE-2021-29468) An update for git is now available for openEuler-20.03-LTS-SP1. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High git https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1210 https://openeuler.org/en/security/cve/detail.html?id=CVE-2021-29468 https://nvd.nist.gov/vuln/detail/CVE-2021-29468 openEuler-20.03-LTS-SP1 git-debuginfo-2.27.0-4.oe1.aarch64.rpm git-debugsource-2.27.0-4.oe1.aarch64.rpm git-daemon-2.27.0-4.oe1.aarch64.rpm git-2.27.0-4.oe1.aarch64.rpm perl-Git-SVN-2.27.0-4.oe1.noarch.rpm git-svn-2.27.0-4.oe1.noarch.rpm git-help-2.27.0-4.oe1.noarch.rpm perl-Git-2.27.0-4.oe1.noarch.rpm git-gui-2.27.0-4.oe1.noarch.rpm git-web-2.27.0-4.oe1.noarch.rpm gitk-2.27.0-4.oe1.noarch.rpm git-email-2.27.0-4.oe1.noarch.rpm git-2.27.0-4.oe1.src.rpm git-2.27.0-4.oe1.x86_64.rpm git-daemon-2.27.0-4.oe1.x86_64.rpm git-debuginfo-2.27.0-4.oe1.x86_64.rpm git-debugsource-2.27.0-4.oe1.x86_64.rpm Cygwin Git is a patch set for the git command line tool for the cygwin environment. A specially crafted repository that contains symbolic links as well as files with backslash characters in the file name may cause just-checked out code to be executed while checking out a repository using Git on Cygwin. The problem will be patched in the Cygwin Git v2.31.1-2 release. At time of writing, the vulnerability is present in the upstream Git source code; any Cygwin user who compiles Git for themselves from upstream sources should manually apply a patch to mitigate the vulnerability. As mitigation users should not clone or pull from repositories from untrusted sources. CVE-2019-1354 was an equivalent vulnerability in Git for Visual Studio. 2021-06-07 CVE-2021-29468 openEuler-20.03-LTS-SP1 High 8.8 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H git security update 2021-06-07 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1210