* [ANNOUNCE] Git v2.12.3 and others
@ 2017-05-10 0:06 Junio C Hamano
2017-05-10 0:38 ` Jonathan Nieder
0 siblings, 1 reply; 2+ messages in thread
From: Junio C Hamano @ 2017-05-10 0:06 UTC (permalink / raw)
To: git; +Cc: Linux Kernel
Maintenance releases Git v2.4.12, v2.5.6, v2.6.7, v2.7.5, v2.8.5,
v2.9.4, v2.10.3, v2.11.2, and v2.12.3 have been tagged and are now
available at the usual places.
These are primarily to fix a recently disclosed problem with "git
shell", which may allow a user who comes over SSH to run an
interactive pager by causing it to spawn "git upload-pack --help"
(CVE-2017-8386). Some (like v2.12.3) have other fixes that have
been accumulating included as well.
"git-shell" is a restricted login shell that can be used on a server
to prevent SSH clients from running any programs except those needed
for git fetches and pushes. If you are not running a server, or if
your server has not been explicitly configured to use git-shell as a
login shell, you are not affected. Also note that sites running "git
shell" behind gitolite are NOT vulnerable.
The tarballs are found at:
https://www.kernel.org/pub/software/scm/git/
The following public repositories all have a copy of these tags:
url = https://kernel.googlesource.com/pub/scm/git/git
url = git://repo.or.cz/alt-git.git
url = git://git.sourceforge.jp/gitroot/git-core/git.git
url = git://git-core.git.sourceforge.net/gitroot/git-core/git-core
url = https://github.com/gitster/git
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [ANNOUNCE] Git v2.12.3 and others
2017-05-10 0:06 [ANNOUNCE] Git v2.12.3 and others Junio C Hamano
@ 2017-05-10 0:38 ` Jonathan Nieder
0 siblings, 0 replies; 2+ messages in thread
From: Jonathan Nieder @ 2017-05-10 0:38 UTC (permalink / raw)
To: Junio C Hamano; +Cc: git, Linux Kernel, Timo Schmid
Junio C Hamano wrote:
> Maintenance releases Git v2.4.12, v2.5.6, v2.6.7, v2.7.5, v2.8.5,
> v2.9.4, v2.10.3, v2.11.2, and v2.12.3 have been tagged and are now
> available at the usual places.
>
> These are primarily to fix a recently disclosed problem with "git
> shell", which may allow a user who comes over SSH to run an
> interactive pager by causing it to spawn "git upload-pack --help"
> (CVE-2017-8386). Some (like v2.12.3) have other fixes that have
> been accumulating included as well.
>
> "git-shell" is a restricted login shell that can be used on a server
> to prevent SSH clients from running any programs except those needed
> for git fetches and pushes. If you are not running a server, or if
> your server has not been explicitly configured to use git-shell as a
> login shell, you are not affected. Also note that sites running "git
> shell" behind gitolite are NOT vulnerable.
Thanks. Credit for discovering this bug goes to Timo Schmid, ERNW GmbH.
They will probably have a blog post soon with more details.
1.6.1 is the earliest git version affected (so this goes back pretty
far).
> The tarballs are found at:
>
> https://www.kernel.org/pub/software/scm/git/
>
> The following public repositories all have a copy of these tags:
>
> url = https://kernel.googlesource.com/pub/scm/git/git
> url = git://repo.or.cz/alt-git.git
> url = git://git.sourceforge.jp/gitroot/git-core/git.git
> url = git://git-core.git.sourceforge.net/gitroot/git-core/git-core
> url = https://github.com/gitster/git
Sincerely,
Jonathan
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-05-10 0:38 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-05-10 0:06 [ANNOUNCE] Git v2.12.3 and others Junio C Hamano
2017-05-10 0:38 ` Jonathan Nieder
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).