CVE-2024-32002

Question

CVE-2024-32002

cuibty opened this issue a year ago · comments

Version Information

Cmder version: v1.3.24
Operating system: windows 11

https://github.com/git/git/security/advisories/GHSA-8h77-4q3w-gfgv

Cmder Edition

Cmder Full (with Git)

Description of the issue

CVE-2024-32002

How to reproduce

No response

Additional context

CVE-2024-32002

Checklist

I have read the documentation.
I have searched for similar issues and found none that describe my issue.
I have reproduced the issue on the latest version of Cmder.
I am certain my issues are not related to ConEmu, Clink, or other third-party tools that Cmder uses.

Chris Antos · Answer 1 · Fri May 31 2024 22:45:46 GMT+0800 (China Standard Time)

It's saying there's a security bug in git.

The mitigation would be to update the version of git included by Cmder.

David Refoua · Answer 2 · Fri May 31 2024 23:10:30 GMT+0800 (China Standard Time)

@MartiUK Do we need to release a v1.3.25? The previous included version of git in v1.3.24 was v2.41.0.windows.3 which apparently is v2.41.0 <=v2.40.1 i.e. vulnerable according to CVE-2024-32002

Martin Kemp · Answer 3 · Fri May 31 2024 23:20:18 GMT+0800 (China Standard Time)

Yes, I think we do.

Martin Kemp · Answer 4 · Fri May 31 2024 23:23:12 GMT+0800 (China Standard Time)

https://github.com/cmderdev/cmder/releases/tag/v1.3.25

David Refoua · Answer 5 · Sat Jun 01 2024 00:12:29 GMT+0800 (China Standard Time)

@cuibty Fixed in https://github.com/cmderdev/cmder/releases/tag/v1.3.25