rpm package

almalinux/git-lfs

pkg:rpm/almalinux/git-lfs

Vulnerabilities (33)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-32283	Hig	7.5	< 3.6.1-8.el9_7.1	3.6.1-8.el9_7.1	Apr 8, 2026	If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.
CVE-2026-32282	Med	6.4	< 3.6.1-8.el9_7.1	3.6.1-8.el9_7.1	Apr 8, 2026	On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which R
CVE-2026-32280	Hig	7.5	< 3.6.1-8.el9_7.1	3.6.1-8.el9_7.1	Apr 8, 2026	During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls
CVE-2026-25679	Hig	7.5	< 3.4.1-10.el8_10	3.4.1-10.el8_10	Mar 6, 2026	url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
CVE-2025-68121	Cri	10.0	< 3.6.1-7.el9_7	3.6.1-7.el9_7	Feb 5, 2026	During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and
CVE-2025-61726		—	< 3.6.1-7.el9_7	3.6.1-7.el9_7	Jan 28, 2026	The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a la
CVE-2025-61729		—	< 3.4.1-7.el8_10	3.4.1-7.el8_10	Dec 2, 2025	Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a
CVE-2025-26625	Hig	—	< 3.6.1-4.el10_1	3.6.1-4.el10_1	Oct 17, 2025	Git LFS is a Git extension for versioning large files. In Git LFS versions 0.5.2 through 3.7.0, when populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbol
CVE-2025-22871	Cri	9.1	< 3.4.1-5.el8_10	3.4.1-5.el8_10	Apr 8, 2025	The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
CVE-2024-53263	Hig	—	< 3.4.1-4.el9_5	3.4.1-4.el9_5	Jan 14, 2025	Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the `git-credential(1)` command without checking for embedded line-ending control characters, and then sends any credential
CVE-2024-9355	Med	6.5	< 3.6.1-1.el9	3.6.1-1.el9	Oct 1, 2024	A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when co
CVE-2024-34156	Hig	7.5	< 3.4.1-3.el8_10	3.4.1-3.el8_10	Sep 6, 2024	Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
CVE-2024-24791	Hig	7.5	< 3.6.1-1.el9	3.6.1-1.el9	Jul 2, 2024	The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the co
CVE-2024-24790		—	< 3.6.1-1.el9	3.6.1-1.el9	Jun 5, 2024	The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.
CVE-2024-24788	Med	5.9	< 3.6.1-1.el9	3.6.1-1.el9	May 8, 2024	A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.
CVE-2023-45288	Hig	7.5	< 3.2.0-2.el9_3	3.2.0-2.el9_3	Apr 4, 2024	An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma
CVE-2024-24783	Med	5.9	< 3.4.1-2.el9_4	3.4.1-2.el9_4	Mar 5, 2024	Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The defaul
CVE-2023-45290	Med	6.5	< 3.4.1-2.el9_4	3.4.1-2.el9_4	Mar 5, 2024	When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line
CVE-2023-45289	Med	4.3	< 3.4.1-2.el9_4	3.4.1-2.el9_4	Mar 5, 2024	When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorizati
CVE-2023-39322		—	< 3.6.1-1.el9	3.6.1-1.el9	Sep 8, 2023	QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With fix, connections now consistently reject messages larger than 65KiB in size.

CVE-2026-32283HigApr 8, 2026
affected < 3.6.1-8.el9_7.1fixed 3.6.1-8.el9_7.1
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.
CVE-2026-32282MedApr 8, 2026
affected < 3.6.1-8.el9_7.1fixed 3.6.1-8.el9_7.1
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which R
CVE-2026-32280HigApr 8, 2026
affected < 3.6.1-8.el9_7.1fixed 3.6.1-8.el9_7.1
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls
CVE-2026-25679HigMar 6, 2026
affected < 3.4.1-10.el8_10fixed 3.4.1-10.el8_10
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
CVE-2025-68121CriFeb 5, 2026
affected < 3.6.1-7.el9_7fixed 3.6.1-7.el9_7
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and
CVE-2025-61726Jan 28, 2026
affected < 3.6.1-7.el9_7fixed 3.6.1-7.el9_7
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a la
CVE-2025-61729Dec 2, 2025
affected < 3.4.1-7.el8_10fixed 3.4.1-7.el8_10
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a
CVE-2025-26625HigOct 17, 2025
affected < 3.6.1-4.el10_1fixed 3.6.1-4.el10_1
Git LFS is a Git extension for versioning large files. In Git LFS versions 0.5.2 through 3.7.0, when populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbol
CVE-2025-22871CriApr 8, 2025
affected < 3.4.1-5.el8_10fixed 3.4.1-5.el8_10
The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
CVE-2024-53263HigJan 14, 2025
affected < 3.4.1-4.el9_5fixed 3.4.1-4.el9_5
Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the `git-credential(1)` command without checking for embedded line-ending control characters, and then sends any credential
CVE-2024-9355MedOct 1, 2024
affected < 3.6.1-1.el9fixed 3.6.1-1.el9
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when co
CVE-2024-34156HigSep 6, 2024
affected < 3.4.1-3.el8_10fixed 3.4.1-3.el8_10
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
CVE-2024-24791HigJul 2, 2024
affected < 3.6.1-1.el9fixed 3.6.1-1.el9
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the co
CVE-2024-24790Jun 5, 2024
affected < 3.6.1-1.el9fixed 3.6.1-1.el9
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.
CVE-2024-24788MedMay 8, 2024
affected < 3.6.1-1.el9fixed 3.6.1-1.el9
A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.
CVE-2023-45288HigApr 4, 2024
affected < 3.2.0-2.el9_3fixed 3.2.0-2.el9_3
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma
CVE-2024-24783MedMar 5, 2024
affected < 3.4.1-2.el9_4fixed 3.4.1-2.el9_4
Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The defaul
CVE-2023-45290MedMar 5, 2024
affected < 3.4.1-2.el9_4fixed 3.4.1-2.el9_4
When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line
CVE-2023-45289MedMar 5, 2024
affected < 3.4.1-2.el9_4fixed 3.4.1-2.el9_4
When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorizati
CVE-2023-39322Sep 8, 2023
affected < 3.6.1-1.el9fixed 3.6.1-1.el9
QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With fix, connections now consistently reject messages larger than 65KiB in size.

Page 1 of 2