Bug 2160865

Summary: libgit2 missing security updates in F37, F36, and EPEL9 branches
Product: [Fedora] Fedora Reporter: Fabio Valentini <decathorpe>
Component: libgit2Assignee: Pete Walter <walter.pete>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 37CC: i, icq, walter.pete
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libgit2-1.3.2-1.fc37 libgit2-1.3.2-2.el9 libgit2-1.3.2-1.fc36 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-27 08:56:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Fabio Valentini 2023-01-14 01:09:06 UTC 
libgit2 v1.3.2 was a security update in the 1.3 branch of libgit2, which is what's shipped on Fedora 37 and 36. According to the upstream release notes
    https://github.com/libgit2/libgit2/releases/tag/v1.3.2
it contains fixes and compatibility fixes with git for CVE-2022-29187 and CVE 2022-24765.

The epel9 branch of libgit2 is stuck at 1.3.0, which is even before the v1.3.1 security release, which, according to
    https://github.com/libgit2/libgit2/releases/tag/v1.3.1
contains fixes for CVE 2022-24765 and other, possibly DDoS-enabling crasher bugs.

I know libgit2 is kind of notorious for breaking API and ABI compatibility between versions, but it would be great if at least security-only updates (which should hopefully not cause these issues ...) could be pushed to stable branches.
Comment 1 Pete Walter 2023-01-20 23:25:45 UTC 
Thanks! I wasn't actually aware that there was a new security release on the 1.3 branch.

I took libgit2 over after Igor Gnatenko after it had gotten into a really bad shape. Since then I have gotten it updated to a recent(ish) version in rawhide so it should get security updates there from upstream as they are released.

1.3 is sadly fairly old but as you pointed out there was actually a newer release there. I'm issuing the update for the older branches as I type this.
Comment 2 Fedora Update System 2023-01-20 23:56:28 UTC 
FEDORA-2023-1068309389 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2023-1068309389
Comment 3 Fedora Update System 2023-01-20 23:56:28 UTC 
FEDORA-2023-470c7ea49e has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-470c7ea49e
Comment 4 Fedora Update System 2023-01-20 23:56:29 UTC 
FEDORA-EPEL-2023-40edbf0dcb has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-40edbf0dcb
Comment 5 Fedora Update System 2023-01-22 01:37:29 UTC 
FEDORA-2023-1068309389 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-1068309389`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-1068309389

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2023-01-22 02:04:11 UTC 
FEDORA-EPEL-2023-40edbf0dcb has been pushed to the Fedora EPEL 9 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-40edbf0dcb

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Fedora Update System 2023-01-22 02:41:25 UTC 
FEDORA-2023-470c7ea49e has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-470c7ea49e`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-470c7ea49e

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2023-01-27 08:56:00 UTC 
FEDORA-2023-470c7ea49e has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 9 Fedora Update System 2023-01-30 00:35:09 UTC 
FEDORA-EPEL-2023-40edbf0dcb has been pushed to the Fedora EPEL 9 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 10 Fedora Update System 2023-01-30 01:31:01 UTC 
FEDORA-2023-1068309389 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.