Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#14746 closed enhancement (fixed)


Reported by: ken@… Owned by: Douglas R. Reno
Priority: normal Milestone: 11.0
Component: BOOK Version: SVN
Severity: normal Keywords:


Released today, with an announcement at github that it fixes CVE-2021-21300 - see

Normal priority, because on linux this not only requires clean/smudge filters to be used, it requires use of a case-insensitive filesystem which supports symbolic links. That applies to macOS and windows, but for linux you would need to either configure ext4 or f2fs to be case-insensitive, or else clone onto an NTFS, HFS+ or APFS filesystem.

Change History (5)

comment:1 by Douglas R. Reno, 3 years ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:2 by Douglas R. Reno, 3 years ago

Git v2.30.2 Release Notes

This release merges up the fixes that appear in v2.17.6, v2.18.5,
v2.19.6, v2.20.5, v2.21.4, v2.22.5, v2.23.4, v2.24.4, v2.25.5,
v2.26.3, v2.27.1, v2.28.1 and v2.29.3 to address the security
issue CVE-2021-21300; see the release notes for these versions
for details.
Git v2.17.6 Release Notes

This release addresses the security issues CVE-2021-21300.

Fixes since v2.17.5

 * CVE-2021-21300:
   On case-insensitive file systems with support for symbolic links,
   if Git is configured globally to apply delay-capable clean/smudge
   filters (such as Git LFS), Git could be fooled into running
   remote code during a clone.

Credit for finding and fixing this vulnerability goes to Matheus
Tavares, helped by Johannes Schindelin.

Since we're not affected (as mentioned in the ticket description - thank you Ken), I'll leave it as normal.

comment:3 by Douglas R. Reno, 3 years ago

Something interesting of note:

The build with the tests only took 2.5 SBU for me. I think this is due to building on an SSD.

Test results are identical to previous versions:

fixed   0
success 22806
failed  0
broken  241
total   23368

comment:4 by Douglas R. Reno, 3 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r24365

comment:5 by Bruce Dubbs, 3 years ago

Milestone: 10.211.0

Milestone renamed

Note: See TracTickets for help on using tickets.