{"affected":[{"ecosystem_specific":{"binaries":[{"git-lfs":"3.6.1-bp156.2.3.1"}]},"package":{"ecosystem":"SUSE:Package Hub 15 SP6","name":"git-lfs","purl":"pkg:rpm/suse/git-lfs&distro=SUSE%20Package%20Hub%2015%20SP6"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"3.6.1-bp156.2.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"git-lfs":"3.6.1-bp156.2.3.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.6","name":"git-lfs","purl":"pkg:rpm/opensuse/git-lfs&distro=openSUSE%20Leap%2015.6"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"3.6.1-bp156.2.3.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for git-lfs fixes the following issues:\n\nUpdate to 3.6.1: (boo#1235876):\n\n  This release introduces a security fix for all platforms, which\n  has been assigned CVE-2024-53263.\n\n  When requesting credentials from Git for a remote host, prior\n  versions of Git LFS passed portions of the host's URL to the\n  git-credential(1) command without checking for embedded\n  line-ending control characters, and then sent any credentials\n  received back from the Git credential helper to the remote host.\n  By inserting URL-encoded control characters such as line feed\n  (LF) or carriage return (CR) characters into the URL, an attacker\n  might have been able to retrieve a user's Git credentials.\n  Git LFS now prevents bare line feed (LF) characters from being\n  included in the values sent to the git-credential(1) command, and\n  also prevents bare carriage return (CR) characters from being\n  included unless the credential.protectProtocol configuration\n  option is set to a value equivalent to false.\n\n  * Bugs\n\n    - Reject bare line-ending control characters in Git credential\n      requests (@chrisd8088)\n\nupdate to version 3.6.0:\n\n- https://github.com/git-lfs/git-lfs/releases/tag/v3.6.0\n\nupdate to 3.5.1:\n\n  * Build release assets with Go 1.21 #5668 (@bk2204)\n  * script/packagecloud: instantiate distro map properly #5662\n    (@bk2204)\n  * Install msgfmt on Windows in CI and release workflows\n    #5666 (@chrisd8088)\n\nupdate to version 3.4.1:\n\n- https://github.com/git-lfs/git-lfs/releases/tag/v3.4.1\n\n","id":"openSUSE-SU-2025:0153-1","modified":"2025-05-12T16:01:51Z","published":"2025-05-12T16:01:51Z","references":[{"type":"ADVISORY","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DUJEMV422T3LAPI4DRX6RNNLCCUYCIHN/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1235876"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-53263"}],"related":["CVE-2024-53263"],"summary":"Security update for git-lfs","upstream":["CVE-2024-53263"]}