{"id":"HSEC-2023-0012","summary":"git-annex checksum exposure to encrypted special remotes","details":"# *git-annex* checksum exposure to encrypted special remotes\n\nA bug exposed the checksum of annexed files to encrypted special\nremotes, which are not supposed to have access to the checksum of\nthe un-encrypted file.  This only occurred when resuming uploads to\nthe encrypted special remote, so it is considered a low-severity\nsecurity hole.\n\nFor details, see commit `b890f3a53d936b5e40aa9acc5876cb98f18b9657`.\n\nNo CVE was assigned for this issue.\n\nFixed in *git-annex-6.20160419*.\n","modified":"2025-11-14T18:15:39.036725Z","published":"2025-11-14T14:45:34Z","database_specific":{"repository":"https://github.com/haskell/security-advisories","osvs":"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export","home":"https://github.com/haskell/security-advisories"},"references":[{"type":"ADVISORY","url":"https://git-annex.branchable.com/security/checksum_exposure_to_encrypted_special_remotes/"},{"type":"FIX","url":"http://source.git-annex.branchable.com/?p=source.git;a=commitdiff;h=b890f3a53d936b5e40aa9acc5876cb98f18b9657"}],"affected":[{"package":{"name":"git-annex","ecosystem":"Hackage","purl":"pkg:hackage/git-annex"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0.20110417"},{"fixed":"6.20160419"}]}],"versions":["3.20110702","3.20110702.2","3.20110705","3.20110707","3.20110819","3.20110902","3.20110906","3.20110915","3.20110928","3.20111011","3.20111122","3.20111203","3.20111211","3.20111231","3.20120113","3.20120115","3.20120116","3.20120123","3.20120227","3.20120229","3.20120230","3.20120309","3.20120315","3.20120405","3.20120406","3.20120418","3.20120430","3.20120511","3.20120522","3.20120605","3.20120611","3.20120614","3.20120615","3.20120624","3.20120629","3.20120721","3.20120807","3.20120825","3.20120924","3.20121001","3.20121009","3.20121010","3.20121016","3.20121017","3.20121112","3.20121126","3.20121127","3.20121127.1","3.20121211","3.20130102","3.20130105","3.20130107","3.20130114","3.20130124","3.20130207","3.20130216.1","4.20130227","4.20130314","4.20130323","4.20130405","4.20130417","4.20130501","4.20130501.1","4.20130516","4.20130521","4.20130521.1","4.20130521.2","4.20130601","4.20130627","4.20130709","4.20130723","4.20130802","4.20130815","4.20130827","4.20130909","4.20130920","4.20130927","4.20131002","4.20131024","4.20131101","4.20131106","5.20131118","5.20131120","5.20131127","5.20131130","5.20131213","5.20131221","5.20131230","5.20140107","5.20140108","5.20140116","5.20140127","5.20140129","5.20140210","5.20140221","5.20140227","5.20140306","5.20140320","5.20140402","5.20140405","5.20140412","5.20140421","5.20140517","5.20140529","5.20140606","5.20140613","5.20140707","5.20140709","5.20140717","5.20140817","5.20140831","5.20140915","5.20140919","5.20140926","5.20140927","5.20141013","5.20141024","5.20141125","5.20141203","5.20141219","5.20141231","5.20150113","5.20150205","5.20150219","5.20150317","5.20150327","5.20150406","5.20150406.1","5.20150409","5.20150420","5.20150508","5.20150508.1","5.20150522","5.20150528","5.20150617","5.20150710","5.20150727","5.20150731","5.20150812","5.20150824","5.20150916","5.20150930","5.20151019","5.20151102","5.20151102.1","5.20151116","5.20151208","5.20151218","6.20160114","6.20160126","6.20160211","6.20160229","6.20160318","6.20160412","6.20160418"],"database_specific":{"source":"https://github.com/haskell/security-advisories/blob/generated/osv-export/2023/HSEC-2023-0012.json","human_link":"https://github.com/haskell/security-advisories/tree/main/advisories/published/2023/HSEC-2023-0012.md","osv":"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2023/HSEC-2023-0012.json"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}],"schema_version":"1.7.3"}