err, I was trying to put it out as a Security PSA, so I clicked "Create security task" which I guess is the opposite of a PSA...

We need to cherry-pick and import the changes Evan made into the Phorge repository as well...

@avivey Would it make sense to add a public announcement to Diviner or Phiction? Or perhaps we use Phame for this use case (Create a "Security Incidents" blog)? I always think of a task as an actionable item, whereas we would want this to exist forever.

ahh, I was wondering why my Phorge install suddenly broke - seems to be the case here too

apparently, Ubuntu maintainers have backported a patch for the older version of git in 20.04 LTS, downgrading to version 1:2.25.1-1ubuntu3 seems to be a temporary workaround, losing the following patches:

git (1:2.25.1-1ubuntu3.3) focal-security; urgency=medium

  * SECURITY UPDATE: Run commands in diff users
    - debian/patches/CVE-2022-24765-*.patch: fix GIT_CEILING_DIRECTORIES; add
      an owner check for the top-level-directory; add a function to
      determine whether a path is owned by the current user in patch.c,
      t/t0060-path-utils.sh, setup.c, compat/mingw.c, compat/mingw.h,
      git-compat-util.h.
    - CVE-2022-24765

 -- Leonidas Da Silva Barbosa <leo.barbosa@canonical.com>  Fri, 08 Apr 2022 09:57:16 -0300

git (1:2.25.1-1ubuntu3.2) focal-security; urgency=medium

  * SECURITY UPDATE: cross-protocol request via newline character in repo path
    - debian/patches/CVE-2021-40330.patch: forbid newline in git:// hosts and
      repo paths
    - CVE-2021-40330

 -- Spyros Seimenis <spyros.seimenis@canonical.com>  Thu, 09 Sep 2021 14:42:33 +0300

git (1:2.25.1-1ubuntu3.1) focal-security; urgency=medium

  * SECURITY UPDATE: remote code exec during clone on case-insensitive FS
    - debian/patches/CVE-2021-21300.patch: fix bug that makes checkout
      follow symlinks in leading path in cache.h, compat/mingw.c,
      git-compat-util.h, run-command.c, symlinks.c, t/t0021-conversion.sh,
      t/t0021/rot13-filter.pl, t/t2006-checkout-index-basic.sh,
      unpack-trees.c.
    - CVE-2021-21300

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 04 Mar 2021 08:01:28 -0500

The two other patches don't seem to be of particular interest for most Phorge instances, though more exotic setups might have issues with the first (oldest) one not being included

In T15090#2126, @golyalpha wrote:

apparently, Ubuntu maintainers have backported a patch for the older version of git in 20.04 LTS, downgrading to version 1:2.25.1-1ubuntu3 seems to be a temporary workaround, losing the following patches:

I don't think having people downgrade is a good idea. I think we should probably cherry-pick Evan's fix from upstream into the phorge codebase.

In T15090#2127, @Matthew wrote:

In T15090#2126, @golyalpha wrote:

apparently, Ubuntu maintainers have backported a patch for the older version of git in 20.04 LTS, downgrading to version 1:2.25.1-1ubuntu3 seems to be a temporary workaround, losing the following patches:

I don't think having people downgrade is a good idea. I think we should probably cherry-pick Evan's fix from upstream into the phorge codebase.

seems to be a temporary workaround

It was especially aimed at this phorge here - to get it work until the fix is pulled in from upstream.

In T15090#2123, @Matthew wrote:

@avivey Would it make sense to add a public announcement to Diviner or Phiction? Or perhaps we use Phame for this use case (Create a "Security Incidents" blog)? I always think of a task as an actionable item, whereas we would want this to exist forever.

Yes, probably. "Announcements"-style thing

In T15090#2141, @avivey wrote:

In T15090#2123, @Matthew wrote:

@avivey Would it make sense to add a public announcement to Diviner or Phiction? Or perhaps we use Phame for this use case (Create a "Security Incidents" blog)? I always think of a task as an actionable item, whereas we would want this to exist forever.

Yes, probably. "Announcements"-style thing

T15095: Setup an announcements blog with Phame

@avivey has fixed this on the upstream install.