[sshine]

[Edit: According to @rlpb's comment, git 2.39.1 is already available on Ubuntu]

To install the latest git on Ubuntu:

  sudo apt upgrade git

[Former post included instructions on how to install git from https://launchpad.net/~git-core/+archive/ubuntu/ppa]

[rlpb]

> [Edit: According to @rlpb's comment, git 2.39.1 is already available on Ubuntu]

Note that I said Ubuntu's git package was updated, but didn't say to what version. Ubuntu like most stable distributions cherry-pick security fixes rather than bump major versions, so Ubuntu users will get a version with these vulnerabilities patched but not necessarily a bump up to 2.39.1. See https://ubuntu.com/security/notices/USN-5810-1 for details.

[b112]

Ubuntu will update git, without having to add this.

[rlpb]

Indeed! Ubuntu updated git at 18:44Z, nearly an hour before you posted that comment :-)

[Pr0ject217]

Hopefully soon :)

[adrianmonk]

> git 2.39.1 is already available on Ubuntu

The updater just gave me 1:2.37.2-1ubuntu1.2 (to replace 1:2.37.2-1ubuntu1.1). It said it addresses the two CVEs in question.

So they (Ubuntu or maybe Debian) are taking the approach of patching a slightly older git version.

[tomxor]

I'm not sure why they aren't bumping the patch number, maybe they decided against applying the other parts of the patch for least change - but at least the CVEs are mentioned in all of the Ubuntu changelogs.

I can't find anything in the Debian changelogs referring to the CVEs. Yet the Ubuntu changelog refers to it as a debian patch...

Anyone know anything about Debian?

[foresto]

Looks like it's tracked in Debian, but not addressed yet.

https://security-tracker.debian.org/tracker/CVE-2022-23521

https://security-tracker.debian.org/tracker/CVE-2022-41903

https://www.debian.org/security/2023/

https://tracker.debian.org/pkg/git

[tomxor]

Thank you!