| Package | git-lfs |
|---|---|
| Version | 2.7.1-1+deb10u2 (buster) |
| Related CVEs | CVE-2024-53263 |
-
CVE-2024-53263
When Git LFS requests credentials from Git for a remote host, it passes portions of the host’s URL to the
git-credential(1)command without checking for embedded line-ending control characters, and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to retrieve a user’s Git credentials.
For Debian 10 buster, these problems have been fixed in version 2.7.1-1+deb10u2.
We recommend that you upgrade your git-lfs packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.