Git security vulnerabilities announced

The Git project has released new versions to address two security vulnerabilities, CVE-2023-22490 and CVE-2023-23946, affecting versions 2.39.1 and older. CVE-2023-22490 involves the local clone optimization in Git, where a specially-crafted repository might allow data exfiltration by tricking Git into using local clone optimization with non-local transport. CVE-2023-23946 relates to the git apply function, where a malicious patch can exploit symbolic links to write arbitrary files outside the working copy. To mitigate these risks, users are advised to upgrade to Git version 2.39.2 and follow best practices, such as avoiding untrusted repositories and inspecting patches. GitHub has implemented several measures to prevent exploitation, including updates to GitHub Desktop, Codespaces, Actions, and Enterprise Server. Contributions to the fixes came from Taylor Blau of GitHub and Patrick Steinhardt of GitLab, with acknowledgment to the discoverers yvvdwf and Joern Schneeweisz.