You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This release introduces a security fix for all platforms, which has been assigned CVE-2024-53263.
When requesting credentials from Git for a remote host, prior versions of Git LFS passed portions of the host's URL to the git-credential(1) command without checking for embedded line-ending control characters, and then sent any credentials received back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker might have been able to retrieve a user's Git credentials.
Git LFS now prevents bare line feed (LF) characters from being included in the values sent to the git-credential(1) command, and also prevents bare carriage return (CR) characters from being included unless the credential.protectProtocol configuration option is set to a value equivalent to false.
We would like to extend a special thanks to the following open-source contributors:
Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.
The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.
For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.
Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.
Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.6.0->3.6.1Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
git-lfs/git-lfs (git-lfs/git-lfs)
v3.6.1Compare Source
This release introduces a security fix for all platforms, which has been assigned CVE-2024-53263.
When requesting credentials from Git for a remote host, prior versions of Git LFS passed portions of the host's URL to the
git-credential(1)command without checking for embedded line-ending control characters, and then sent any credentials received back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker might have been able to retrieve a user's Git credentials.Git LFS now prevents bare line feed (LF) characters from being included in the values sent to the
git-credential(1)command, and also prevents bare carriage return (CR) characters from being included unless thecredential.protectProtocolconfiguration option is set to a value equivalent tofalse.We would like to extend a special thanks to the following open-source contributors:
Bugs
Packages
Up to date packages are available on PackageCloud and Homebrew.
RPM RHEL 7/CentOS 7
RPM RHEL 8/Rocky Linux 8
RPM RHEL 9/Rocky Linux 9
Debian 10
Debian 11
Debian 12
SHA-256 hashes:
git-lfs-darwin-amd64-v3.6.1.zip
b53c361e6c85479507ed39ba99b87ec0888ac52f5afd2084fc68af4103081391
git-lfs-darwin-arm64-v3.6.1.zip
83b4ea3b0c72ba19e3bc46e47e92476f4505cc96693333b9fa0a314dddacc4ba
git-lfs-freebsd-386-v3.6.1.tar.gz
976e6123166ad54cd752a70a50f10d3cac22d35afc622f9ad1129320dc463bce
git-lfs-freebsd-amd64-v3.6.1.tar.gz
77c58f7d9ff207efa371fcf048900fa404d12393434c23c767a2f7dbabd0d8e1
git-lfs-linux-386-v3.6.1.tar.gz
62dd22e2cde54c051faaf58b5432f033a0cb6bf366d00648b1bc1b9ed1e819e1
git-lfs-linux-amd64-v3.6.1.tar.gz
2138d2e405a12f1a088272e06790b76699b79cb90d0317b77aafaf35de908d76
git-lfs-linux-arm-v3.6.1.tar.gz
7e3e7df9d7cc663efab9d996c67af17d99afe8b0ce2fc002703cac0b8826f4f7
git-lfs-linux-arm64-v3.6.1.tar.gz
1c2720ff53528fbe769633d448d830aa7b682141e3c4f6a9f26b9cf3b2548d0a
git-lfs-linux-loong64-v3.6.1.tar.gz
0135b9fa6c8a13d4c7cec6e434b6cc4391b74321aa13743dd7e8f14bd33648f8
git-lfs-linux-ppc64le-v3.6.1.tar.gz
86d42801b6e70522560eb3e33c0512f9733b3dad1ca08471cd135f445029cdfb
git-lfs-linux-riscv64-v3.6.1.tar.gz
e26adb02957e859385159d60dd642b800a265d3fcd38590266d3428aefb4ddba
git-lfs-linux-s390x-v3.6.1.tar.gz
c9aa0391ac58c5ed695fceec891c953d12fe78ae31ecbd5fd3cb4204cf8273a9
git-lfs-v3.6.1.tar.gz
1417b7ee9a8fba8d649a89f070fdcde8b2593ca2caa74e3e808d2bb35d5ca5f7
git-lfs-windows-386-v3.6.1.zip
74fd0d4c9ea314719b6890667b0e528c4467726e1a7302e68221afba806a69b5
git-lfs-windows-amd64-v3.6.1.zip
aaca788e04f91676e58654d5ecf96cf03c76768a63b3a6918281a9678884c20c
git-lfs-windows-arm64-v3.6.1.zip
ad40ab00a73ef4bf63c969472d0e5a824686b495dbc01ea8e9e4cc456c49a4b0
git-lfs-windows-v3.6.1.exe
5492bd2d7b37fcb821f48cac17895feb2506d26ad4cde996a30940e86dfecc27
hashes.asc
a5d1256409e83743608fdc43716bd1dc2fbffe00b5f116016d5886187874dcab
sha256sums.asc
4f16f1db8a18631ac9b21cce1545a692373e2b5edc8e211cd959c447d14dfef2
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.