git-lfs-3.4.1-10.el8_10

エラータID: AXSA:2026-626:06

Release date: 
Monday, May 18, 2026 - 17:02
Subject: 
git-lfs-3.4.1-10.el8_10
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.

Security Fix(es):

* net/url: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679)
* golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)
* crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)
* crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2026-25679
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
CVE-2026-32280
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.
CVE-2026-32282
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.
CVE-2026-32283
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.

Solution: 

Update packages.

CVEs: 
CVE-2026-25679
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
CVE-2026-32280
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.
CVE-2026-32282
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.
CVE-2026-32283
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.
Additional Info: 

N/A

Download: 

SRPMS
  1. git-lfs-3.4.1-10.el8_10.src.rpm
    MD5: dbe4f58967b04c6480f37e43ca6c04f5
    SHA-256: 3a2f432ef214cc83025499c73ec00884788abb67f944a2ca3376a58541663f5b
    Size: 3.46 MB

Asianux Server 8 for x86_64
  1. git-lfs-3.4.1-10.el8_10.x86_64.rpm
    MD5: 3404b3d0c795017d8cff7d1d1c07fbe0
    SHA-256: e6e1da8f1459a200de2168ef9257c72b2396d0434445fd80c10fbeeac85dd334
    Size: 4.72 MB