Hacker News new | past | comments | ask | show | jobs | submit login

And use git LFS and cloned a malicious repo? This bug has probably not affected a single user.



Isn't the whole point of announcing security patches so that people can update before they're exploited?


Sure, I'm just saying this isn't a big deal and its likely no one was hit.


Just because there is not an active threat doesn’t make it any less of a vulnerability to be exploited.


It does if nobody uses it. You can't exploit Apache 2.4.2 proxy bugs if nobody runs Apache 2.4.2 in proxy mode.

Of course, you should still update because you're a config change away from being vulnerable, but GP's point of it not being a big deal if (and only if, don't know if that's correct) nobody uses it stands.


The GitHub desktop app configures lfs in your gitconfig automatically, so that adds a lot of users to the vulnerable pool.


Many Git distributions come with git-lfs installed by default


I assume the primary user base of git-lfs is folks doing things like video game development (so that they can check in image/audio assets to a repo without massively bloating it), which probably has a much higher fraction of Mac/Windows users than folks writing server-side apps or whatever.


That's not why we do security research.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: