Today we’re updating Gemini 1.5 Pro, introducing 1.5 Flash, rolling out new Gemini API features and adding two new Gemma models.

Hi there, Git users!

Today, I write to you not in my capacity as Git for Windows maintainer, but as the Git community coordinator of the latest security bugfix release of Git.

In the ever-evolving landscape of software development, security remains a paramount concern, especially for the Git project. Alongside our other business priorities, we hold the fort when it comes to safeguarding your work. It’s with this unwavering commitment to security that we bring to your attention the latest Git version, v2.45.1, released on May 14, 2024, which addresses not one but five vulnerabilities. Affected platforms are Windows, macOS, Linux, and even *BSD, so these fixes are important for everyone! 😊 This release is coordinated with Visual Studio and GitHub Desktop, which include a subset of Git. We are also releasing several defense-in-depth updates to address themes that we have noticed in the past several bugfix releases.

• CVE-2024-32002 (Critical, Windows & macOS): Git repositories with submodules can trick Git into executing a hook from the .git/ directory during a clone operation, leading to Remote Code Execution.
• CVE-2024-32004 (High, multi-user machines): An attacker can craft a local repository that executes arbitrary code when cloned.
• CVE-2024-32465 (High, all setups): Cloning from .zip files containing Git repositories can bypass protections, potentially executing unsafe hooks.
• CVE-2024-32020 (Low, multi-user machines): Local clones on the same disk can allow untrusted users to modify hard-linked files in the cloned repository’s object database.
• CVE-2024-32021 (Low, multi-user machines): Cloning a local repository with symlinks can result in hard-linking to arbitrary files in the objects/ directory.

Upgrading to the latest Git version is essential to protect against these vulnerabilities. If you cannot update immediately, please be careful from where you clone repositories.

Note: the defense-in-depth protection in this update causes a regression when cloning repositories enabled with Git LFS. The clone will fail with an error message. The remedy is to call git lfs pull in the fresh clone.

Details

The main theme of these fixes is to improve the security of cloning Git repositories. It has long been Git’s stance that cloning even untrustworthy repositories should be a safe operation, and that it should be possible to “scrub” repositories of potentially malicious configurations and hooks—and in this release this is clearly documented.

Now, let’s dive into the details.

Recursive clones on case-insensitive filesystems that support symlinks are susceptible to Remote Code Execution (CVE-2024-32002, critical)

Repositories with submodules can be crafted in a way that exploits a bug in Git, whereby it can be fooled into writing files not into the submodule’s worktree but into a .git/ directory. This is possible by a combination of confusing Git with a directory and a symbolic link that differs only in case so that Git can write either one, or the other, but not both. This confusion can be used to manipulate Git into writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed.

Remote Code Execution while cloning special-crafted local repositories (CVE-2024-32004, high)

On multi-user machines, an attacker can prepare a local repository so that it looks like a partial clone that is missing an object, so that, when this repository is cloned, Git will execute arbitrary code during the operation with full permissions of the user performing the clone.

Protections for cloning untrusted repositories can be bypassed (CVE-2024-32465, high)

There are circumstances where the fixes for CVE-2024-32004 are not enough. For example, when obtaining a .zip file containing a full copy of a Git repository, it should not be trusted by default to be safe, as for example, hooks could be configured to run within the context of that repository.

The Git project does not recommend for you to obtain Git repositories via .zip files containing a full copy of the worktree and .git/ directory!

Having said that, the Git project’s stance is that such an untrusted repository can be “sanitized” by cloning it locally, as is clarified in the Git documentation as part of this release. In such a scenario, Git is susceptible to the same manipulations as described in CVE-2024-32004.

Cloning local repository by untrusted user allows the untrusted user to modify objects in the cloned repository at will (CVE-2024-32020, low)

When source and target repository reside on the same disk, local clones may end up creating hard-links of files in the target repository’s object database. If the source repository is owned by a different user, this means that those newly hard-linked files may be rewritten at any point in time by that other user, which can easily come as a surprise to users who are unfamiliar with this implementation detail of Git.

Local clone may hard-link arbitrary user-readable files into the new repository’s “objects/” directory (CVE-2024-32021, low)

When cloning a local source repository that contains symbolic links, Git may create hard-links in the objects/ directory to arbitrary files on the same filesystem as the target repository. This can be used in sophisticated attacks to manipulate Git into writing files outside the Git worktree and outside the .git/ directory.

Defense-in-depth

It has not escaped the Git project that there has been a common theme in the vulnerabilities that have been fixed in previous security bugfix releases, as well as in this one: submodules support seems to be involved, and hooks escalate the severity of the found vulnerabilities to high or critical.

This time around, we therefore added more changes that not only fix existing security issues but also try to reduce the severity of any related vulnerabilities that may be found in the future:

• Git has introduced several security improvements to protect against Remote Code Execution (RCE), which is when an attacker could potentially run harmful code on your computer.
• These updates include better handling of symbolic links and directories during cloning operations to prevent Git from being tricked into writing files in the wrong places.
• Git now has a more secure way of running hooks, which are scripts that can run automatically during certain Git operations. This helps prevent unauthorized code from running during a clone.
• The configuration setting for the Git templates directory, which could influence which hooks run during a clone, is now protected to prevent accidental or malicious changes.
• Additionally, Git will now warn about symbolic links that point inside the .git/ directory, which could be a security risk. Users who want to be extra cautious can set these warnings to be treated as errors.

These changes are part of Git’s ongoing efforts to enhance security and ensure that the cloning process is safe from potential vulnerabilities.

Credits

CVE-2024-32002 and CVE-2024-32004 were found by Filip Heijsek and fixed by Johannes Schindelin. Apple Product Security found CVE-2024-32020 and CVE-2024-32021, and they were fixed by Patrick Steinhardt. CVE-2024-32465 was found and fixed by Jeff King. The defense-in-depth patches were contributed by Johannes Schindelin. Credit for in-depth reviews goes to Junio Hamano, Filip Hejsek, Johannes Schindelin, and Patrick Steinhardt.

Stay secure, stay updated, and let’s continue to build amazing software together.

The post Securing Git: Addressing 5 new vulnerabilities appeared first on The GitHub Blog.

In this fast-moving era of AI, staying up-to-date on the latest technology is not an option but a necessity. That’s why we’re excited to announce a new community-lead repository that is set to transform your workflow. This repo is a collection of prompts that will help you use the power of Microsoft Copilot across various application from Word to PowerPoint to Microsoft Teams, and more!

Take a look at an existing prompt in the sample to locate what meetings you have and to which you have not yet responded to.

How to use the repository

Simply go to the sample folder and select one sample (see steps 1-3) in the figure below. Then find the instructions in the readme.md file to run the prompt yourself. Be sure to checkout the prerequisites before you get started.

Contributing your own prompts

Your insights can help the community thrive. If you have prompts that can benefit others or if you have figured out a hack, here’s how to share them:

If you don’t wish to do the steps below: Open an issue and post your image and prompt and someone from the community can take care of putting it in the repo, giving you full credit.

Fork the repository

Go to the repository https://aka.ms/pnp-prompt-bank

Select the Fork button to create your own copy.

Create a new branch

Clone your forked repository and create a new branch with a unique name that reflects your prompt’s purpose.

Add a new folder

Inside the samples folder, create a new folder following the naming convention: <apphost-functionality-prompt>.

For example, if you’re creating a prompt for a PowerPoint sales report, name it ppt-sales-report-prompt.

Prepare the readme file

Find an existing readme.md file in any sample folder.

Copy it into the new folder you created in the step above and update the contents in the file to describe your prompt.

Create an assets folder

Within your new folder, add a subfolder named assets.

This is where you’ll store any images or GIF files that your readme file refers to.

Copy the sample JSON file

Locate the sample.json file in any existing sample’s assets folder.

Copy this file into your own assets folder.

Update the JSON file

Modify the sample.json file in your assets folder to match the details of your prompt.

And that’s it! You’re now ready to contribute your creative prompts to the repository.

Create a pull request from your forked repos’ new branch to the upstream repository’s main branch so your prompts can be reviewed and approved by the one of the community folks in their free time.

Spreading the word

Let’s get the community buzzing:

• Share your prompts on social media platforms and tag it with #CopilotPrompts.
• Talk about it in your professional networks to encourage others to contribute and use the prompts.
• Bookmark and keep an eye on the repository on GitHub to stay updated with the latest contributions.

This new GitHub repository is more than just a collection of prompts, it is there to get you ahead in the AI revolution. By contributing and utilising these prompts, we can all push the boundaries of what’s possible with Copilot. So, let’s collaborate, create, and elevate our productivity to new heights!

Follow us on X (Twitter) / @Microsoft365Dev and subscribe to our YouTube channel to stay up to date on the latest developer news and announcements.

The post Curating a collection of free Microsoft Copilot prompts appeared first on Microsoft 365 Developer Blog.

We're excited to announce the general availability of OverflowAI to Stack Overflow for Teams! OverflowAI represents a big step forward in our vision of integrating GenAI offerings within knowledge communities.

The Gemma family expands further with the introduction of PaliGemma, and a sneak peek into the near future with the announcement of Gemma 2.

Do what works best for your business; whether you’re sharing both UI and business logic across multiple platforms with Flutter or development with Kotlin Multiplatform.