Advisory ROSA-SA-2023-2176

Software: git 1.8.3.1
OS: rosa-server79

package_evr_string: git-1.8.3.1-25.res7

CVE-ID: CVE-2023-25652
BDU-ID: None
CVE-Crit: MEDIUM
CVE-DESC.: Up to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1 by submitting specially crafted input for git apply --reject, the path outside the working tree can be overwritten with partially controlled content (corresponding to rejected fragments from this patch). The fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. . As a workaround, avoid using git apply' with --reject’ when applying patches from an unreliable source. Use git apply --stat to test a patch before applying it; avoid applying those that create a conflict when there is a link corresponding to the *.rej file.
CVE-STATUS: Fixed
CVE-REV: To close, run the yum update git command

CVE-ID: CVE-2023-29007
BDU-ID: 2023-02908
CVE-Crit: HIGH
CVE-DESC.: A vulnerability in the git_config_copy_or_rename_section_in_file function of the config.c file of the Git distributed version control system is related to insufficient neutralization of special elements in the request. Exploitation of the vulnerability could allow an attacker, to execute arbitrary code
CVE-STATUS: Fixed
CVE-REV: Execute yum update git command to close.