lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Thu, 18 Dec 2014 13:11:19 -0800
From:	Junio C Hamano <gitster@...ox.com>
To:	git@...r.kernel.org
Cc:	Linux Kernel <linux-kernel@...r.kernel.org>
Subject: [ANNOUNCE] Git v2.2.1 (and updates to older maintenance tracks)

The latest maintenance release Git v2.2.1 is now available at
the usual places.

This is a security-fix for CVE-2014-9390, which affects users on
Windows and Mac OS X but not typical UNIX users.  A set of new
releases for older maintenance tracks (v1.8.5.6, v1.9.5, v2.0.5, and
v2.1.4) are published at the same time and they contain the same fix.
Various implementations and ports, including Git for Windows, Git OS
X installer, JGit & EGit, libgit2 (and Visual Studio which uses it)
have been updated at the same time.

Even though the issue may not affect Linux users, if you are a
hosting service whose users may fetch from your service to Windows
or Mac OS X machines, you are strongly encouraged to update to
protect such users who use existing versions of Git.

The tarballs are found at:

    https://www.kernel.org/pub/software/scm/git/

The following public repositories all have a copy of the 'v2.2.1'
tag and the 'maint' branch that the tag points at:

  url = https://kernel.googlesource.com/pub/scm/git/git
  url = git://repo.or.cz/alt-git.git
  url = https://code.google.com/p/git-core/
  url = git://git.sourceforge.jp/gitroot/git-core/git.git
  url = git://git-core.git.sourceforge.net/gitroot/git-core/git-core
  url = https://github.com/gitster/git

Git v2.2.1 Release Notes
========================

Fixes since v2.2
----------------

 * We used to allow committing a path ".Git/config" with Git that is
   running on a case sensitive filesystem, but an attempt to check out
   such a path with Git that runs on a case insensitive filesystem
   would have clobbered ".git/config", which is definitely not what
   the user would have expected.  Git now prevents you from tracking
   a path with ".Git" (in any case combination) as a path component.

 * On Windows, certain path components that are different from ".git"
   are mapped to ".git", e.g. "git~1/config" is treated as if it were
   ".git/config".  HFS+ has a similar issue, where certain unicode
   codepoints are ignored, e.g. ".g\u200cit/config" is treated as if
   it were ".git/config".  Pathnames with these potential issues are
   rejected on the affected systems.  Git on systems that are not
   affected by this issue (e.g. Linux) can also be configured to
   reject them to ensure cross platform interoperability of the hosted
   projects.

 * "git fsck" notices a tree object that records such a path that can
   be confused with ".git", and with receive.fsckObjects configuration
   set to true, an attempt to "git push" such a tree object will be
   rejected.  Such a path may not be a problem on some filesystems
   but in order to protect those on HFS+ and on case insensitive
   filesystems, this check is enabled on all platforms.

A big "thanks!" for bringing this issue to us goes to our friends in
the Mercurial land, namely, Matt Mackall and Augie Fackler.

Also contains typofixes, documentation updates and trivial code clean-ups.

----------------------------------------------------------------

Changes since v2.2.0 are as follows:

Hartmut Henkel (1):
      l10n: de.po: fix typos

Jeff King (8):
      unpack-trees: propagate errors adding entries to the index
      read-tree: add tests for confusing paths like ".." and ".git"
      verify_dotfile(): reject .git case-insensitively
      t1450: refactor ".", "..", and ".git" fsck tests
      fsck: notice .git case-insensitively
      utf8: add is_hfs_dotgit() helper
      read-cache: optionally disallow HFS+ .git variants
      fsck: complain about HFS+ ".git" aliases in trees

Johannes Schindelin (3):
      path: add is_ntfs_dotgit() helper
      read-cache: optionally disallow NTFS .git variants
      fsck: complain about NTFS ".git" aliases in trees

Junio C Hamano (6):
      Start post 2.2 cycle
      Git 1.8.5.6
      Git 1.9.5
      Git 2.0.5
      Git 2.1.4
      Git 2.2.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ