From ${URL} : We recently reported two invalid memory accesses in the last revision of libgit2: * Read out-of-bounds in git_oid_nfmt: https://github.com/libgit2/libgit2/issues/3936 * DoS using a null pointer derreference in git_commit_message: https://github.com/libgit2/libgit2/issues/3937 The developers are preparing a patch to harden object parsing in libgit2 here: https://github.com/libgit2/libgit2/pull/3956 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
commit f9e4d518a020417d1cb9a0cd539f28bcb63e995b Author: Manuel Rüger <mrueg@gentoo.org> Date: Tue Oct 11 00:35:21 2016 +0200 dev-libs/libgit2: Security bump to 0.24.2 Gentoo-Bug: 596758 Package-Manager: portage-2.3.1 @arches please stabilize
Needs to be cleaned up/updated for cleanup: app-editors/atom-1.10.2: =dev-libs/libgit2-0.23*:=[ssh] app-editors/atom-1.7.4-r4: =dev-libs/libgit2-0.23*:=[ssh] app-editors/atom-1.8.0-r1: =dev-libs/libgit2-0.23*:=[ssh] dev-libs/libgit2-glib-0.22.8: <dev-libs/libgit2-0.23 dev-libs/libgit2-glib-0.23.10-r1: <dev-libs/libgit2-0.24 dev-python/pygit2-0.20.3:RDEPEND="=dev-libs/libgit2-$(get_version_component_range 1-2)*" dev-python/pygit2-0.21.4-r1: =dev-libs/libgit2-$(get_version_component_range 1-2)* dev-python/pygit2-0.22.1: =dev-libs/libgit2-$(get_version_component_range 1-2)* dev-python/pygit2-0.23.0: =dev-libs/libgit2-$(get_version_component_range 1-2)* dev-python/pygit2-0.23.3: =dev-libs/libgit2-$(get_version_component_range 1-2)* dev-vcs/gitg-3.18.0-r1: <dev-libs/libgit2-glib-0.24.0 www-apps/blohg-0.13-r1: git? ( =dev-python/pygit2-0.20* ) www-apps/blohg-9999: git? ( =dev-python/pygit2-0.21* )
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
CC'ing atom maintainers, please clean up your package. app-editors/atom-1.10.2: =dev-libs/libgit2-0.23*:=[ssh] app-editors/atom-1.7.4-r4: =dev-libs/libgit2-0.23*:=[ssh] app-editors/atom-1.8.0-r1: =dev-libs/libgit2-0.23*:=[ssh]
app-editors/atom cleanup patch is here: https://github.com/gentoo/gentoo/pull/2836
@ Manuel: Still waiting for your cleanup.
Cleaned: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9b64de1489263019495731928a65665e3ab3daba GLSA Vote: No
Reverting cleanup...
please clean...
(In reply to Aaron Bauman from comment #10) > please clean... dev-util/geany-plugins-1.25: git? ( <dev-libs/libgit2-0.23.0 )
Vulnerable versions cleaned up.