[codazoda]

I don't think Apple has patched this yet (it just came out 3 hours ago). Looks like homebrew got right on it so I installed via that with the following command.

`brew install git`

The latest version in Ventura 13.1 seems to be either 2.24.3 or 2.37.1 (not all my co-workers machines match). I'm not sure if these are defaults, different because some of us have XCode, or if some of us manually installed. In any case, brew install got me up to date.

[jasonmarks_]

I too think package managers are amazing...

reads new git security threat

"brew upgrade"

done!

[joe_guy]

Running brew upgrade uses git, so it has to run the insecure git to upgrade.

[woodruffw]

Wait until you hear about how your OpenSSL patches get delivered!

[yencabulator]

Via signed Git tags?

  object 19cc035b6c6f2283573d29c7ea7f7d675cf750ce
  type commit
  tag openssl-3.0.7
  tagger Tomas Mraz <tomas@openssl.org> 1667335515 +0100

  OpenSSL 3.0.7 release tag
  -----BEGIN PGP SIGNATURE-----

  iQJGBAABCAAwFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmNhhWASHHRvbWFzQG9w
  ZW5zc2wub3JnAAoJEFJ0ZqIcp55tZRkQAJKQ35fUFQ3Wfuj4vbNQNX0Iv/c11q9o
  7Li8A8ananoYhnW9tpVTfpBCHAbE/fvwY3TMCE6IzBsRcjjef1CAqtEEDYI39aEt
  Nr00hUTVQeeH95viYMhmelq6axjkX8dGjfZBufZPJzrKrrj/eZLfmL3A1nZ9yYeF
  MCTxzpcOtaanJQ35h1Ayx3Hj1mcfTixGZR1drlJa5pDoF3y40ysxt/3ZYRD0Z/hO
  NbQ5QK/GPjnBheJaha6X7BoGgMRzXCfVSqtP/hE2Szzdq3nkZbWuDYw8EQ+Nr8Ni
  Q0BIIZLQbTYf4lmTXMbZdgUFq9/vSFNuz2IudDGiHrVfV1HZrZigHly61gqaXhjF
  Uir2LjMEgMr7D4O0udM6RnR7A1Wn3++sc8m3bGHYj+j+oSHSiKpZ0yxKbGY0TITL
  1/vJMBZe46rW2qQi8WI4fkRnyRVc+L19AHqHYeA9XHMWKFgRKgHlf+yf2ysPKsD6
  lGYCFwLJrlec/Sq4mbwe59JwtQbf4LHUQ4k+M1Cr5q04WegMH/nFjOanv8Ehs1Se
  WqJZD/1O+p8Go71g7c8kJ9QYiHkkr/xgs8BF7WMlNw7df5za6V1Ns/VCMSfQ9HF8
  SlODL7NBffQr0A9rGD/AueN2pATzv1p90/Cz5VCIWRfCHMN6EmurdGcSJkSXRbjY
  SDAGDysitYmo
  =/eQF
  -----END PGP SIGNATURE-----

[woodruffw]

And how, pray tell, are you downloading those signatures? Or the public keys corresponding to them, for that matter, if you don't have them locally already (and, if you do, why do you trust them given that your transport layer has been compromised?)

Besides: if you actually verify `git` signatures, you can count yourself in a club of less than a dozen people who bother. That isn't to say that you're wrong to, just that an optional signature is, to a first approximation, as useful as not signing at all.

[yencabulator]

The public keys for those signatures have already been downloaded by any vendor who knows what they're doing; a new TLS forgery vulnerability won't really hurt there.

Or, let's put it this way: If you don't bother with the signatures, a TLS forgery likely isn't the easiest way to feed you a fake openssl release, hijacking an account or hacking Github et al are.

Also, Github itself verifies Git signatures, and the maintainers seem to have Github's "vigilant mode" on.

[funcDropShadow]

brew repositories are hosted at Github. According the linked article Github did a full scan on all repositories whether those attacks were already in use and implemented mitigations to make it impossible to push attacks to Github. I.e. it should be safe to run brew upgrade.

[jasonmarks_]

ugh technically correct, the best type of correct