mirrors/git
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Sync with 2.17.2

Browse Source 
* maint-2.17:
  Git 2.17.2
  fsck: detect submodule paths starting with dash
  fsck: detect submodule urls starting with dash
  Git 2.16.5
  Git 2.15.3
  Git 2.14.5
  submodule-config: ban submodule paths that start with a dash
  submodule-config: ban submodule urls that start with dash
  submodule--helper: use "--" to signal end of clone options
This commit is contained in:
Junio C Hamano
2018-09-27 11:45:01 -07:00
parent 53f9a3e157 6e9e91e9ca
commit 44f87dac99
9 changed files with 142 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
Documentation/RelNotes/2.14.5.txt Normal file
View File

@ -0,0 +1,16 @@
Git v2.14.5 Release Notes
=========================
This release is to address the recently reported CVE-2018-17456.
Fixes since v2.14.4
-------------------
* Submodules' "URL"s come from the untrusted .gitmodules file, but
we blindly gave it to "git clone" to clone submodules when "git
clone --recurse-submodules" was used to clone a project that has
such a submodule. The code has been hardened to reject such
malformed URLs (e.g. one that begins with a dash).
Credit for finding and fixing this vulnerability goes to joernchen
and Jeff King, respectively.

6
Documentation/RelNotes/2.15.3.txt Normal file
View File

@ -0,0 +1,6 @@
Git v2.15.3 Release Notes
=========================
This release merges up the fixes that appear in v2.14.5 to address
the recently reported CVE-2018-17456; see the release notes for that
version for details.

6
Documentation/RelNotes/2.16.5.txt Normal file
View File

@ -0,0 +1,6 @@
Git v2.16.5 Release Notes
=========================
This release merges up the fixes that appear in v2.14.5 to address
the recently reported CVE-2018-17456; see the release notes for that
version for details.

12
Documentation/RelNotes/2.17.2.txt Normal file
View File

@ -0,0 +1,12 @@
Git v2.17.2 Release Notes
=========================
This release merges up the fixes that appear in v2.14.5 to address
the recently reported CVE-2018-17456; see the release notes for that
version for details.
In addition, this release also teaches "fsck" and the server side
logic to reject pushes to repositories that attempt to create such a
problematic ".gitmodules" file as tracked contents, to help hosting
sites protect their customers by preventing malicious contents from
spreading.