security issue: update git now

Hello,

please update your git clients to fix issue

which can lead to malicious code being executed on your machine.

cc @cintiadr, is this something we still have to do for our infra? Not sure how git is installed/updated on bamboo for example.

3 Likes

Thanks for the message, @teleivo! :slight_smile:

Sort of yes. We installed the package, but security patches are applied very frequently, automatically. https://people.canonical.com/~ubuntu-security/cve/pkg/git.html

That’s why we tend to have mini-outages every weekend.

As always @teleivo, thanks for looking out for the OpenMRS community.

Given someone cloning a repo is likely to be compiling & running the code in that repo, having someone committing malicious code to the repo seems like a bigger problem than this bug. Is it typical for people to issue git clone --recursive on a repo for which they aren’t going to run the code? Am I missing something? This feels like a warning “we have discovered a vulnerability that would allow someone preparing your food to plant a bomb in your house.” :slight_smile:

update: Oh. I see from the videos that merely cloning a repo to check it out could get you into trouble. That’s not good. Time to update git! Thanks @teleivo!

Upgraded!

For macOS/Homebrew the upgrade process is just:

brew install git
brew switch git 2.17.1
1 Like

brew upgrade did the update for me as well