You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+18-1Lines changed: 18 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -39,7 +39,8 @@ The vcsrepo module provides a single type with providers to support the followin
39
39
*[Subversion](#subversion)
40
40
41
41
**Note:**`git` is the only vcs provider officially [supported by Puppet Inc.](https://forge.puppet.com/supported)
42
-
**Note:** Release v4.0.1 has been removed from the Puppet Forge and was officially re-released as version v5.0.0 as it contained a breaking change. Details available [here](https://puppetlabs.github.io/iac/team/status/developer/2021/06/04/status-update.html)
42
+
**Note:** Release v4.0.1 has been removed from the Puppet Forge and was officially re-released as version v5.0.0 as it contained a breaking change.
43
+
Details available [here](https://puppetlabs.github.io/iac/team/status/developer/2021/06/04/status-update.html)
43
44
44
45
<aid="setup"></a>
45
46
## Setup
@@ -788,6 +789,22 @@ The includes parameter is only supported when SVN client version is >= 1.6.
788
789
789
790
For an extensive list of supported operating systems, see [metadata.json](https://github.com/puppetlabs/puppetlabs-vcsrepo/blob/main/metadata.json)
790
791
792
+
### Response to CVE-2022-24765
793
+
794
+
The vulnerability described in this CVE could impact users working on multi-user machines.
795
+
A malicious actor could create a `.git` directory above the current working directory causing all git invocations to occur outside of a repository to read its configuration.
796
+
797
+
For a more in-depth description of this vulnerability, check out [this blog post](https://github.blog/2022-04-12-git-security-vulnerability-announced/).
798
+
799
+
Fixes were released in Git versions 2.35.2 and 1:2.25.1-1ubuntu3.4 respectively.
800
+
801
+
VCSRepo users were impacted when running newer versions of Git and managing repositories that were owned by a user or group that differed from the user executing Git.
802
+
803
+
For example, setting the `owner` parameter on a resource would cause Puppet runs to fail with a `Path /destination/path exists and is not the desired repository.` error.
804
+
805
+
Impacted users are now advised to use the new `safe_directory` parameter on Git resources.
806
+
Explicitily setting the value to `true` will add the current path specified on the resource to the `safe.directory` git configuration for the current user (global scope) allowing the Puppet run to continue without error.
0 commit comments