Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
Jimi Wikman

Critical Security Patch in Git and GitKraken

Recommended Posts

Quote

On 12-10-2019, Git released patch v2.24.1 to address several common vulnerabilities and exposures, or CVE. For those unfamiliar with what CVE is, it is a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities and exposures.

GitKraken utilizes libgit2 for handling its Git operations, but that does not mean it is immune to these vulnerabilities. Fortunately, the libgit2 team has merged in a fix for these new vulnerabilities which are included in GitKraken v6.4.0 and later.

For users who only use GitKraken, please be sure to always update GitKraken to the latest available version whether that is through our updater or our downloads page. We actively monitor security channels and want to ensure our users are not prone to these vulnerabilities and exposures. 

For any users who utilize Git for the CLI, Git Hooks, or Git LFS, it is advisable to also make sure your current version of Git is v2.24.1 or later. You can download the latest version of Git here.

Upgrade to GitKraken v6.4.0 (or later) to protect against serious Git security vulnerabilities.

Time to update if you have not already.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Similar Content

    • By ©Jimi Wikman
      Two WordPress plugins, InfiniteWP Client and WP Time Capsule have been found to suffer from a critical authorization bypass bug that allows people to access a site’s backend with no password. All an attacker needs is the admin username for the WordPress plugins and they are in.
      Both plugins are designed to allow users to authenticate to multiple WordPress installations from one central server. That allows site owners to “perform maintenance such as one-click updates for core, plugins, and themes across all sites, backup and site restores, and activating/deactivating plugins and themes on multiple sites simultaneously".
      This was reported on January 7th and on January 8th a new release for InfiniteWP Client and WP Time Capsule was released. WebArx publicly disclosed the bugs on January 14th.
      Based on the WordPress plugin library, the InfiniteWP Client plugin is active on 300,000+ websites. The InfiniteWP site claims they have 513,520 sites active.
      Link to WPScan Vulnerability Database: https://wpvulndb.com/vulnerabilities/10011
       
    • By ©Jimi Wikman
      On January 14, 2020, Microsoft released software fixes to address 49 vulnerabilities as part of their monthly Patch Tuesday announcement. Among the vulnerabilities patched were critical weaknesses in Windows CryptoAPI, Windows Remote Desktop Gateway (RD Gateway), and Windows Remote Desktop Client. An attacker could remotely exploit these vulnerabilities to decrypt, modify, or inject data on user connections:
      The updates fixes a serious flaw in the core cryptographic component of widely used Windows 10, Server 2016 and 2019 editions that was discovered and reported to the company by the National Security Agency (NSA) of the United States
      The flaw, dubbed 'NSACrypt' and tracked as CVE-2020-0601, resides in the Crypt32.dll module that contains various 'Certificate and Cryptographic Messaging functions' used by the Windows Crypto API for handling encryption and decryption of data.
      A cyber attacker could exploit CVE-2020-0601 to obtain sensitive information, such as financial information, or run malware on a targeted system; for example:
      A maliciously crafted certificate could appear to be issued for a hostname that did not authorize it, preventing a browser that relies on Windows CryptoAPI from validating its authenticity and issuing warnings. If the certificate impersonates a user’s bank website, their financial information could be exposed. Signed malware can bypass protections (e.g., antivirus) that only run applications with valid signatures. Malicious files, emails, and executables can appear legitimate to unpatched users.  
       
       
       
      Besides Windows CryptoAPI spoofing vulnerability that has been rated 'important' in severity, Microsoft has also patched 48 other vulnerabilities, 8 of which are critical and rest all 40 are important.
      It is strongly suggested that you patch this as soon as possible by heading on to your Windows Settings → Update & Security → Windows Update → clicking 'Check for updates on your PC.
    • By ©Jimi Wikman
      Pulse Secure, a provider of secure VPN, urged customers today to immediately apply a security patch if they have not yet done so. The advice comes from reports over the last few days of attackers exploiting a flaw to deliver ransomware on enterprise systems. It can even be used to delete data backups and disable endpoint security tools.
      This flaw has been present for some time and Kevin Beaumont who first reported the attacks this weekend have outlined its backstory since it was discovered in April 2019. It is believed that it was this flaw that was used to attack travel insurance and currency exchange provider Travelex, which experienced a massive service disruption this week following a reported ransomware attack on its systems on New Year's Eve.
      This flaw, that exists in multiple versions of Pulse Connect Secure and Pulse Policy Secure, gives remote attackers a way to connect via HTTPS to an enterprise network without needing any valid username or password. Attackers can use the flaw to view logs and files, turn-off multifactor authentication, download arbitrary files, and execute malicious code on enterprise networks.The attacker can also see cached passwords in plain text, including Active Directory account passwords.
       According to threat intelligence firm Bad Packets, at least 3,825 Pulse Secure VPN servers remain unpatched and vulnerable to attack as of January 3, 2020. More than 1,300 of the vulnerable systems are located in the United States. According to Kevin Beaumont, Travelex had seven unpatched Pulse Secure servers when it was attacked on New Year's Eve.
      It is strongly suggested that if you use Pulse Connect Secure or Pulse Policy Secure that you take this seriously and ensure that you have applied all the latest patches. Ransomeware like Sodinokibi, also known as REvil, is no joke and it can cripple or even destroy companies it affects.
       
    • By ©Jimi Wikman
      BitNinja is an all in one server security tool mixing the most powerful defence techniques. It is super-easy to install, requires virtually no maintenance. It is able to protect against 99% of automated attacks - like XSS, DDoS, malware, scans, script injection, CMS hacks, enumeration, brute force, etc.
      Servers protected by BitNinja learn from each attack and inform each other about malicious IPs.
      This result is a global defense network that counteracts botnet attacks with a shield of protection for all servers running BitNinja, while also reducing the number of false positives each server encounters
  • Who's Online   1 Member, 0 Anonymous, 7 Guests (See full list)

×
×
  • Create New...