lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 10 May 2017 09:06:50 +0900 From: Junio C Hamano <gitster@...ox.com> To: git@...r.kernel.org Cc: Linux Kernel <linux-kernel@...r.kernel.org> Subject: [ANNOUNCE] Git v2.12.3 and others Maintenance releases Git v2.4.12, v2.5.6, v2.6.7, v2.7.5, v2.8.5, v2.9.4, v2.10.3, v2.11.2, and v2.12.3 have been tagged and are now available at the usual places. These are primarily to fix a recently disclosed problem with "git shell", which may allow a user who comes over SSH to run an interactive pager by causing it to spawn "git upload-pack --help" (CVE-2017-8386). Some (like v2.12.3) have other fixes that have been accumulating included as well. "git-shell" is a restricted login shell that can be used on a server to prevent SSH clients from running any programs except those needed for git fetches and pushes. If you are not running a server, or if your server has not been explicitly configured to use git-shell as a login shell, you are not affected. Also note that sites running "git shell" behind gitolite are NOT vulnerable. The tarballs are found at: https://www.kernel.org/pub/software/scm/git/ The following public repositories all have a copy of these tags: url = https://kernel.googlesource.com/pub/scm/git/git url = git://repo.or.cz/alt-git.git url = git://git.sourceforge.jp/gitroot/git-core/git.git url = git://git-core.git.sourceforge.net/gitroot/git-core/git-core url = https://github.com/gitster/git
Powered by blists - more mailing lists