These updates address an issue where a specially crafted repository can execute code during a
git clone
on case-insensitive filesystems which support symbolic links by abusing certain types of clean/smudge filters, like those configured by Git LFS.
The most effective way to protect against this vulnerability is to upgrade to 2.30.2. If you can’t update immediately, you can reduce your risk by doing any of the following:
Disable support for symbolic links in Git by running
git config
--global core.symlinks false
.
GitHub itself is not vulnerable to this attack. We do not store checked out copies of repositories on our servers, except for GitHub Pages, which does not use any clean/smudge filters.
Credit for finding and fixing this vulnerability is shared among Matheus Tavares and Johannes Schindelin.
Discover how the Ersilia Open Source Initiative accelerates drug discovery by using GitHub Actions to disseminate AI/ML models.
Yes please, I’d like GitHub and affiliates to use my information for personalized communications, targeted advertising and campaign effectiveness. See the