Urgent: Will gerrit be affected by vulnerability git-cve-2024-32002
218 views
Skip to first unread message
Kai Lei
May 17, 2024, 8:06:09 PM5/17/24
to Repo and Gerrit Discussion
Hi,
I just saw this notification https://github.blog/2024-05-14-securing-git-addressing-5-new-vulnerabilities/
So I am wondering if gerrit will be affected.
REFERENCES
https://github.blog/2024-05-14-securing-git-addressing-5-new-vulnerabilities/
https://www.helpnetsecurity.com/2024/05/16/git-cve-2024-32002/Thanks
BR
Leon
Leon
Luca Milanesio
May 17, 2024, 8:50:21 PM5/17/24
to Repo and Gerrit Discussion, Luca Milanesio, Kai Lei
On 18 May 2024, at 01:05, Kai Lei <tiger...@gmail.com> wrote:Hi,I just saw this notification https://github.blog/2024-05-14-securing-git-addressing-5-new-vulnerabilities/So I am wondering if gerrit will be affected.
Looking at the security report, they all look like a Git client issues.
Luca.
--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/CAM-5CsBOava3wGLE9AJHvQx1iAB59fXYCorEiB2t7ZUrrRRvYQ%40mail.gmail.com.
Kai Lei
May 17, 2024, 9:09:40 PM5/17/24
to Luca Milanesio, Repo and Gerrit Discussion
Thanks, I'll look into it. But do you know any way we can set restrictions on the gerrit side to prevent certain git clients from connecting?
Sven Selberg
May 20, 2024, 1:42:16 AM5/20/24
to Repo and Gerrit Discussion
On Saturday, May 18, 2024 at 3:09:40 AM UTC+2 Kai Lei wrote:
Thanks, I'll look into it. But do you know any way we can set restrictions on the gerrit side to prevent certain git clients from connecting?
They are all cases were someone crafts a malicious git repository and pushes that to a server and the vulnerability is from when someone else clones that repository.
Preventing certain git clients doesn't seem like an effective way to combat that.
Preventing certain git clients doesn't seem like an effective way to combat that.
If you want to combat that in your Gerrit server:
* Use Gerrit's powerful ACLs and disallow anyone from pushing directly into a branch without review.
* Run verification-on-push to check the uploaded content for exploits of the vulnerability.
* Educate your users to be aware of the risks (as they should be with any tool).
If you'd still want to restrict which git clients can connect, I don't think Gerrit support that, but the git clients advertises which version they have so you should be able to refuse git clients with certain versions to connect to the git server (Gerrit or other) all together.
But if you choose that route prepare for a bunch of frustrated users.
Reply all
Reply to author
Forward
0 new messages