* [ANNOUNCE] Git v2.14.1, v2.13.5, and others
@ 2017-08-10 18:00 Junio C Hamano
0 siblings, 0 replies; only message in thread
From: Junio C Hamano @ 2017-08-10 18:00 UTC (permalink / raw)
To: git; +Cc: Linux Kernel
The latest maintenance release Git v2.14.1 is now available at the
usual places, together with releases for older maintenance track for
the same issue: v2.7.6, v2.8.6, v2.9.5, v2.10.4, v2.11.3, v2.12.4,
These contain a security fix for CVE-2017-1000117, and are released
in coordination with Subversion and Mercurial that share a similar
issue. CVE-2017-9800 and CVE-2017-1000116 are assigned to these
systems, respectively, for issues similar to it that are now
addressed in their part of this coordinated release.
The tarballs are found at:
The following public repositories all have a copy of these tags:
url = https://kernel.googlesource.com/pub/scm/git/git
url = git://repo.or.cz/alt-git.git
url = https://github.com/gitster/git
A malicious third-party can give a crafted "ssh://..." URL to an
unsuspecting victim, and an attempt to visit the URL can result in
any program that exists on the victim's machine being executed.
Such a URL could be placed in the .gitmodules file of a malicious
project, and an unsuspecting victim could be tricked into running
"git clone --recurse-submodules" to trigger the vulnerability.
Credits to find and fix the issue go to Brian Neel at GitLab, Joern
Schneeweisz of Recurity Labs and Jeff King at GitHub.
* A "ssh://..." URL can result in a "ssh" command line with a
hostname that begins with a dash "-", which would cause the "ssh"
command to instead (mis)treat it as an option. This is now
prevented by forbidding such a hostname (which should not impact
any real-world usage).
* Similarly, when GIT_PROXY_COMMAND is configured, the command is
run with host and port that are parsed out from "ssh://..." URL;
a poorly written GIT_PROXY_COMMAND could be tricked into treating
a string that begins with a dash "-" as an option. This is now
prevented by forbidding such a hostname and port number (again,
which should not impact any real-world usage).
* In the same spirit, a repository name that begins with a dash "-"
is also forbidden now.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2017-08-10 18:00 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-08-10 18:00 [ANNOUNCE] Git v2.14.1, v2.13.5, and others Junio C Hamano
firstname.lastname@example.org list mirror (unofficial, one of many)
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://public-inbox.org/git
git clone --mirror http://ou63pmih66umazou.onion/git
git clone --mirror http://czquwvybam4bgbro.onion/git
git clone --mirror http://hjrcffqmbrq6wope.onion/git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V1 git git/ https://public-inbox.org/git \
Example config snippet for mirrors.
Newsgroups are available over NNTP:
note: .onion URLs require Tor: https://www.torproject.org/
code repositories for the project(s) associated with this inbox:
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git