{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [], "removed": [], "diff": [ "git", "git-man" ] } }, "diff": { "deb": [ { "name": "git", "from_version": { "source_package_name": "git", "source_package_version": "1:2.34.1-1ubuntu1.16", "version": "1:2.34.1-1ubuntu1.16" }, "to_version": { "source_package_name": "git", "source_package_version": "1:2.34.1-1ubuntu1.17", "version": "1:2.34.1-1ubuntu1.17" }, "cves": [ { "cve": "CVE-2022-24765", "url": "https://ubuntu.com/security/CVE-2022-24765", "cve_description": "Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder `C:\\.git`, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory. Git Bash users who set `GIT_PS1_SHOWDIRTYSTATE` are vulnerable as well. Users who installed posh-gitare vulnerable simply by starting a PowerShell. Users of IDEs such as Visual Studio are vulnerable: simply creating a new project would already read and respect the config specified in `C:\\.git\\config`. Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash. The problem has been patched in Git for Windows v2.35.2. Users unable to upgrade may create the folder `.git` on all drives where Git commands are run, and remove read/write access from those folders as a workaround. Alternatively, define or extend `GIT_CEILING_DIRECTORIES` to cover the _parent_ directory of the user profile, e.g. `C:\\Users` if the user profile is located in `C:\\Users\\my-user-name`.", "cve_priority": "medium", "cve_public_date": "2022-04-12 18:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2142790 ], "changes": [ { "cves": [ { "cve": "CVE-2022-24765", "url": "https://ubuntu.com/security/CVE-2022-24765", "cve_description": "Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder `C:\\.git`, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory. Git Bash users who set `GIT_PS1_SHOWDIRTYSTATE` are vulnerable as well. Users who installed posh-gitare vulnerable simply by starting a PowerShell. Users of IDEs such as Visual Studio are vulnerable: simply creating a new project would already read and respect the config specified in `C:\\.git\\config`. Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash. The problem has been patched in Git for Windows v2.35.2. Users unable to upgrade may create the folder `.git` on all drives where Git commands are run, and remove read/write access from those folders as a workaround. Alternatively, define or extend `GIT_CEILING_DIRECTORIES` to cover the _parent_ directory of the user profile, e.g. `C:\\Users` if the user profile is located in `C:\\Users\\my-user-name`.", "cve_priority": "medium", "cve_public_date": "2022-04-12 18:15:00 UTC" } ], "log": [ "", " * SECURITY REGRESSION: Include not respected for protected configuration.", " (LP: #2142790)", " - debian/patches/CVE-2022-24765-fix3.patch: Use config_with_options in", " read_protected_config in config.c.", "" ], "package": "git", "version": "1:2.34.1-1ubuntu1.17", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [ 2142790 ], "author": "Hlib Korzhynskyy ", "date": "Thu, 26 Feb 2026 16:19:53 -0330" } ], "notes": null, "is_version_downgrade": false }, { "name": "git-man", "from_version": { "source_package_name": "git", "source_package_version": "1:2.34.1-1ubuntu1.16", "version": "1:2.34.1-1ubuntu1.16" }, "to_version": { "source_package_name": "git", "source_package_version": "1:2.34.1-1ubuntu1.17", "version": "1:2.34.1-1ubuntu1.17" }, "cves": [ { "cve": "CVE-2022-24765", "url": "https://ubuntu.com/security/CVE-2022-24765", "cve_description": "Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder `C:\\.git`, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory. Git Bash users who set `GIT_PS1_SHOWDIRTYSTATE` are vulnerable as well. Users who installed posh-gitare vulnerable simply by starting a PowerShell. Users of IDEs such as Visual Studio are vulnerable: simply creating a new project would already read and respect the config specified in `C:\\.git\\config`. Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash. The problem has been patched in Git for Windows v2.35.2. Users unable to upgrade may create the folder `.git` on all drives where Git commands are run, and remove read/write access from those folders as a workaround. Alternatively, define or extend `GIT_CEILING_DIRECTORIES` to cover the _parent_ directory of the user profile, e.g. `C:\\Users` if the user profile is located in `C:\\Users\\my-user-name`.", "cve_priority": "medium", "cve_public_date": "2022-04-12 18:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2142790 ], "changes": [ { "cves": [ { "cve": "CVE-2022-24765", "url": "https://ubuntu.com/security/CVE-2022-24765", "cve_description": "Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder `C:\\.git`, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory. Git Bash users who set `GIT_PS1_SHOWDIRTYSTATE` are vulnerable as well. Users who installed posh-gitare vulnerable simply by starting a PowerShell. Users of IDEs such as Visual Studio are vulnerable: simply creating a new project would already read and respect the config specified in `C:\\.git\\config`. Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash. The problem has been patched in Git for Windows v2.35.2. Users unable to upgrade may create the folder `.git` on all drives where Git commands are run, and remove read/write access from those folders as a workaround. Alternatively, define or extend `GIT_CEILING_DIRECTORIES` to cover the _parent_ directory of the user profile, e.g. `C:\\Users` if the user profile is located in `C:\\Users\\my-user-name`.", "cve_priority": "medium", "cve_public_date": "2022-04-12 18:15:00 UTC" } ], "log": [ "", " * SECURITY REGRESSION: Include not respected for protected configuration.", " (LP: #2142790)", " - debian/patches/CVE-2022-24765-fix3.patch: Use config_with_options in", " read_protected_config in config.c.", "" ], "package": "git", "version": "1:2.34.1-1ubuntu1.17", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [ 2142790 ], "author": "Hlib Korzhynskyy ", "date": "Thu, 26 Feb 2026 16:19:53 -0330" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [], "snap": [] }, "removed": { "deb": [], "snap": [] }, "notes": "Changelog diff for Ubuntu 22.04 jammy image from release image serial 20260227 to 20260228", "from_series": "jammy", "to_series": "jammy", "from_serial": "20260227", "to_serial": "20260228", "from_manifest_filename": "release_manifest.previous", "to_manifest_filename": "manifest.current" }