Git Vulnerability Announced?

Git Vulnerability Announced?

[Erika Voss]

Good morning,

There was an article I came across yesterday identifying a vulnerability to patch our Git environments.  I don’t see one that is available for our Mac Clients - is there a more recent one that I can download that is available to patch the 2.17.0 version?

Thank you,
Erika

RE: Git Vulnerability Announced?

[Randall S. Becker]

On May 31, 2018 11:57 AM, Erika Voss wrote:
> There was an article I came across yesterday identifying a vulnerability to
> patch our Git environments.  I don’t see one that is available for our Mac
> Clients - is there a more recent one that I can download that is available to
> patch the 2.17.0 version?

Do you have a reference, CVE number, or other information about this vulnerability?

Cheers,
Randall

-- Brief whoami:
 NonStop developer since approximately 211288444200000000
 UNIX developer since approximately 421664400
-- In my real life, I talk too much.

Re: Git Vulnerability Announced?

[Erika Voss]

Hi Randall,

Yes here is what was sent to me - 

https://www.theregister.co.uk/2018/05/30/git_vulnerability_could_lead_to_an_attack_of_the_repo_clones/
https://www.debian.org/security/2018/dsa-4212

The one that I could find from online was:
https://git-scm.com/download/mac

But, the latest version available on this site was 2.17.0, which does not include the security patch.

Thank you,
Erika


On 5/31/18, 8:59 AM, "Randall S. Becker" <rsbecker@nexbridge.com> wrote:

    On May 31, 2018 11:57 AM, Erika Voss wrote:
    > There was an article I came across yesterday identifying a vulnerability to
    > patch our Git environments.  I don’t see one that is available for our Mac
    > Clients - is there a more recent one that I can download that is available to
    > patch the 2.17.0 version?
    
    Do you have a reference, CVE number, or other information about this vulnerability?
    
    Cheers,
    Randall
    
    -- Brief whoami:
     NonStop developer since approximately 211288444200000000
     UNIX developer since approximately 421664400
    -- In my real life, I talk too much.
    
    
    
    

Re: Git Vulnerability Announced?

[Jeff King]

On Thu, May 31, 2018 at 04:00:38PM +0000, Erika Voss wrote:

> Yes here is what was sent to me - 
> 
> https://www.theregister.co.uk/2018/05/30/git_vulnerability_could_lead_to_an_attack_of_the_repo_clones/
> https://www.debian.org/security/2018/dsa-4212

Yeah, the release announcement from the project is at:

  https://public-inbox.org/git/xmqqy3g2flb6.fsf@gitster-ct.c.googlers.com/

> The one that I could find from online was:
> https://git-scm.com/download/mac
> 
> But, the latest version available on this site was 2.17.0, which does
> not include the security patch.

The binary installs for MacOS are done by a third party, and sometimes
lag the source releases. You can build it from source yourself, either
from a tarball:

  https://git.kernel.org/pub/software/scm/git/git-2.17.1.tar.gz

or by cloning with git:

  https://kernel.org/pub/scm/git/git.git

There are some instructions in the INSTALL file, which you can also read
online:

  https://github.com/git/git/blob/master/INSTALL

You can also use Homebrew to install, which usually updates to new
versions pretty promptly:

  https://brew.sh/

-Peff