Makefile: Upgrade libgit2 to v1.5.1 (!5300) · Merge requests · GitLab.org / gitaly

Patrick Steinhardt requested to merge pks-libgit2-bump-to-v1.5.1 into master Jan 27, 2023

The libgit2 project has published a security release for CVE-2023-22742. This vulnerability allows for man-in-the-middle attacks because by default, libgit2 would not verify SSH keys of the remote server when connecting to it.

Gitaly is not impacted by this CVE given that we never use libgit2 to connect to a remote server. But let's upgrade anyway in case anybody wonders.

Makefile: Upgrade libgit2 to v1.5.1

Merge request reports