Git, the software used by millions of software developers to manage their source code – the crown jewels of most corporations – is vulnerable to two different attacks.
The first bug would allow a malicious attacker to overwrite code in folders where they should not be.
The second bug allows an attacker to read arbitrary memory and applies across development platforms.
How much damage can be done is unknown, but what is the likely scenario is that a large percentage of responsible development teams will update their Git software, but a surprisingly large number will not and that is where the attackers will head.
So, what should you do?
There is a patch for multiple versions of Git. We are starting to see more of this as serious bugs appear and the developers know that people have not updated to the current version.
Patches are available for versions 2.13(.7), 2.14(.4), 2.15(.4), 2.16(.4) and 2.17.1 (2).
Microsoft is telling developers to download 2.17.1 (2) and has blocked malicious repositories from being uploaded to Visual Studio Team Services. How, exactly, they know what is malicious they are not saying. They also say that they will be releasing a patch “shortly” for Visual Studio. Hopefully shortly is just a few days.
Linux platforms like Debian are updating their software to use the new version of Git and are telling folks to upgrade.
Bottom line, if you are a software developer and use Git, it is time to upgrade.
Information for this post came from The Register.