libgit2 v1.3.2 was a security update in the 1.3 branch of libgit2, which is what's shipped on Fedora 37 and 36. According to the upstream release notes https://github.com/libgit2/libgit2/releases/tag/v1.3.2 it contains fixes and compatibility fixes with git for CVE-2022-29187 and CVE 2022-24765. The epel9 branch of libgit2 is stuck at 1.3.0, which is even before the v1.3.1 security release, which, according to https://github.com/libgit2/libgit2/releases/tag/v1.3.1 contains fixes for CVE 2022-24765 and other, possibly DDoS-enabling crasher bugs. I know libgit2 is kind of notorious for breaking API and ABI compatibility between versions, but it would be great if at least security-only updates (which should hopefully not cause these issues ...) could be pushed to stable branches.
Thanks! I wasn't actually aware that there was a new security release on the 1.3 branch. I took libgit2 over after Igor Gnatenko after it had gotten into a really bad shape. Since then I have gotten it updated to a recent(ish) version in rawhide so it should get security updates there from upstream as they are released. 1.3 is sadly fairly old but as you pointed out there was actually a newer release there. I'm issuing the update for the older branches as I type this.
FEDORA-2023-1068309389 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2023-1068309389
FEDORA-2023-470c7ea49e has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-470c7ea49e
FEDORA-EPEL-2023-40edbf0dcb has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-40edbf0dcb
FEDORA-2023-1068309389 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-1068309389` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-1068309389 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2023-40edbf0dcb has been pushed to the Fedora EPEL 9 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-40edbf0dcb See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-470c7ea49e has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-470c7ea49e` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-470c7ea49e See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-470c7ea49e has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-EPEL-2023-40edbf0dcb has been pushed to the Fedora EPEL 9 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2023-1068309389 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.