The git2 and libgit2-sys crates are Rust wrappers around the libgit2 C library. It was discovered that libgit2 1.5.0 and below did not verify SSH host keys when establishing an SSH connection, exposing users of the library to Man-In-the-Middle attacks.
The libgit2 team assigned CVE-2023-22742 to this vulnerability. The following versions of the libgit2-sys Rust crate have been released:
libgit2-sys 0.14.2, updating the underlying libgit2 C library to version 1.5.1.
libgit2-sys 0.13.5, updating the underlying libgit2 C library to version 1.4.5.
A new git2 crate version has also been released, 0.16.1. This version only bumps its libgit2-sys dependency to ensure no vulnerable libgit2-sys versions are used, but contains no code changes: if you update the libgit2-sys version there is no need to also update the git2 crate version.
rust-lang/git2-rs
### [`v0.16.1`](https://togithub.com/rust-lang/git2-rs/blob/HEAD/CHANGELOG.md#0161---2023-01-20)
[Compare Source](https://togithub.com/rust-lang/git2-rs/compare/0.16.0...0.16.1)
[0.16.0...0.16.1](https://togithub.com/rust-lang/git2-rs/compare/0.16.0...0.16.1)
##### Changed
- Updated to [libgit2-sys 0.14.2+1.5.1](libgit2-sys/CHANGELOG.md#0142151---2023-01-20)
### [`v0.16.0`](https://togithub.com/rust-lang/git2-rs/blob/HEAD/CHANGELOG.md#0160---2023-01-10)
[Compare Source](https://togithub.com/rust-lang/git2-rs/compare/0.15.0...0.16.0)
[0.15.0...0.16.0](https://togithub.com/rust-lang/git2-rs/compare/0.15.0...0.16.0)
##### Changed
- Added ability to get the SSH host key and its type.
This includes an API breaking change to the `certificate_check` callback.
[#909](https://togithub.com/rust-lang/git2-rs/pull/909)
- Updated to [libgit2-sys 0.14.1+1.5.0](libgit2-sys/CHANGELOG.md#0141150---2023-01-10)
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
0.15->0.16GitHub Vulnerability Alerts
GHSA-m4ch-rfv5-x5g3
The git2 and libgit2-sys crates are Rust wrappers around the libgit2 C library. It was discovered that libgit2 1.5.0 and below did not verify SSH host keys when establishing an SSH connection, exposing users of the library to Man-In-the-Middle attacks.
The libgit2 team assigned CVE-2023-22742 to this vulnerability. The following versions of the libgit2-sys Rust crate have been released:
A new git2 crate version has also been released, 0.16.1. This version only bumps its libgit2-sys dependency to ensure no vulnerable libgit2-sys versions are used, but contains no code changes: if you update the libgit2-sys version there is no need to also update the git2 crate version.
You can learn more about this vulnerability in libgit2's advisory
Release Notes
rust-lang/git2-rs
### [`v0.16.1`](https://togithub.com/rust-lang/git2-rs/blob/HEAD/CHANGELOG.md#0161---2023-01-20) [Compare Source](https://togithub.com/rust-lang/git2-rs/compare/0.16.0...0.16.1) [0.16.0...0.16.1](https://togithub.com/rust-lang/git2-rs/compare/0.16.0...0.16.1) ##### Changed - Updated to [libgit2-sys 0.14.2+1.5.1](libgit2-sys/CHANGELOG.md#0142151---2023-01-20) ### [`v0.16.0`](https://togithub.com/rust-lang/git2-rs/blob/HEAD/CHANGELOG.md#0160---2023-01-10) [Compare Source](https://togithub.com/rust-lang/git2-rs/compare/0.15.0...0.16.0) [0.15.0...0.16.0](https://togithub.com/rust-lang/git2-rs/compare/0.15.0...0.16.0) ##### Changed - Added ability to get the SSH host key and its type. This includes an API breaking change to the `certificate_check` callback. [#909](https://togithub.com/rust-lang/git2-rs/pull/909) - Updated to [libgit2-sys 0.14.1+1.5.0](libgit2-sys/CHANGELOG.md#0141150---2023-01-10)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.