UNCLASSIFIED - NO CUI

Skip to content

Update dependency libgit2/libgit2 to v1.7.2

Ghost User requested to merge renovate/libgit2-libgit2-1.x into development

This MR contains the following updates:

Package Type Update Change
libgit2/libgit2 ironbank-github patch v1.7.1 -> v1.7.2

Warning

Some dependencies could not be looked up. Check the warning logs for more information.


Release Notes

libgit2/libgit2 (libgit2/libgit2)

v1.7.2: libgit2 v1.7.2

Compare Source

🔒 This is a security release with multiple changes.

  • A bug in git_revparse_single is fixed that could have caused the function to enter an infinite loop given well-crafted inputs, potentially causing a Denial of Service attack in the calling application. This fixes CVE-2024-24577, which was discovered by researchers at Amazon AWS.

  • A bug in git_index_add is fixed that could have caused the function to corrupt its heap and possibly lead to arbitrary code execution. This fixes CVE-2024-24577, which was discovered by researchers at Amazon AWS.

  • A bug in the smart transport negotiation could have caused an out-of-bounds read when a remote server did not advertise capabilities.

The libgit2 project thanks the researchers and outreach team at AWS Security for finding the git_index_add and git_revparse_single bugs, and providing details and reproduction steps during their responsible disclosure.

All users of the v1.7 release line are recommended to upgrade.


Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.


  • If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Merge request reports