Hi, On +2022-11-24 12:17:01 -0300, André Batista wrote: > Hi! > > qui 04 ago 2022 às 13:59:20 (1659632360), ludovic.cour...@inria.fr enviou: > > I think we should instead report it upstream. Do you feel like doing > > it? I guess we’d need to give them the C version of the three-line > > snippet I gave earlier. > > Upstream issue #6433[1] > > Apparently, GIT_SUBMODULE_STATUS_WD_UNINITIALIZED isn't actually set > in this scenario, only GIT_SUBMODULE_STATUS_IN_CONFIG. > > 1. https://github.com/libgit2/libgit2/issues/6433 > > >
Wondering if this[1] is all history in gnu/guix-land: [1] <https://nvd.nist.gov/vuln/detail/CVE-2020-5260> Wherein it says --8<---------------cut here---------------start------------->8--- The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1. --8<---------------cut here---------------end--------------->8--- Is there an automated tool to answer the question, "What executables (command line directly, or indirectly (including config-directed interpretation)) does my system contain that have known vulnerabilities?" BTW: Newsflash: :) RMS paranoia now dernier-cri[3] as cited in [2] [2] <https://www.theregister.com/2022/11/23/dod_cisa_omb_cybersecurity/> [3] <https://dodcio.defense.gov/Portals/0/Documents/Library/DoD-ZTStrategy.pdf> Something[3] to get (more) serious about for gnu/guix? -- Regards, Bengt Richter