Due to a flaw in libgit2, it was possible to trigger a denial-of-service (DoS) attack on GitHub repositories by requesting maliciously-crafted remote repos. libgit2 is the distributed version control system (DVCS) library that libgit2-dev is the package dependency.

Prior to the release of libgit2 version 1.14.0, a remote DoS attack could be launched against repositories on GitHub by requesting a maliciously crafted Git repository.
In the libgit2 package, there was a vulnerability in version 1.14.0 for Red Hat Enterprise Linux 7 that could lead to a Denial-of-Service (DoS) attack against GitHub repositories. This issue has been fixed in version 1.19.2. Red Hat does not recommend updating to this version, as it is a security release. Instead, Red Hat recommends updating the libgit2 package, as detailed below.

Libgit2 package required for updating

The libgit2 package required for updating to version 1.19.2 is libgit2-dev 2.18.0-1 or higher
If you are running a previous version of the libgit2 package, update it to the latest available version 2.18.0-1 or higher first before updating to the latest version of libgit2 in order to prevent any issues.

How to update libgit2 on Red Hat Enterprise Linux 7

You should update to version 1.19.2 of libgit2 on Red Hat Enterprise Linux 7 in order to mitigate the vulnerability that was addressed by this security release.

To update:
yum -y update libgit2-1*
or, for more detail on what's updated and how, refer to the changelog:
yum -y --changelog libgit2-1*

Update libgit2 to version 1.19.2

To update the libgit2 package, use the following command:

yum update libgit2

Timeline

Published on: 01/28/2022 22:15:00 UTC
Last modified on: 08/21/2022 08:15:00 UTC

References