Bundled git version has CVEs CVE-2022-23521 and CVE-2022-41903 #4120
Comments
|
Hi @hacst thanks for reporting! We are working on more prioritized issues at the moment, but will get back to this one soon. |
This comment was marked as resolved.
This comment was marked as resolved.
|
Any update? |
|
Is it possible to configure an external GIT client? GIT is not a feature shown on the agent page... |
You can set the Even with that set, it would still be good to get a patched agent to avoid any potential of the unpatched version getting used from a pipeline and to avoid our IT staff reporting the unpatched version. |
Thanks! Is it possible to set it as a default for all the pipelines? |
I didn't see an obvious why to set it for all pipelines. I only have a few pipelines, so I just added the variable to each one. |
Its not something I tested for myself, but if I remember correctly if you create a environment variable on the agent machine named |
|
Any update? |
|
This issue has had no activity in 180 days. Please comment if it is not actually stale |
As described in https://github.blog/2023-01-17-git-security-vulnerabilities-announced-2/ the git version 2.38.1 currently shipped with the agent is vulnerable to two critical CVEs. Namely: CVE-2022-23521, CVE-2022-41903
The agent should be updated to ship a patched version like the most recent 2.39.1 to fix this.
It would also be interesting to know when/whether there will be a corresponding azure devops server security update.
The text was updated successfully, but these errors were encountered: