From: Junio C Hamano <gitster@pobox.com> To: git@vger.kernel.org Subject: [ANNOUNCE] Git v2.30.2 and below for CVE-2021-21300 Date: Tue, 09 Mar 2021 10:03:06 -0800 [thread overview] Message-ID: <xmqqim6019yd.fsf@gitster.c.googlers.com> (raw) The latest maintenance release Git v2.30.2, together with releases for older maintenance tracks v2.17.6, v2.18.5, v2.19.6, v2.20.5, v2.21.4, v2.22.5, v2.23.4, v2.24.4, v2.25.5, v2.26.3, v2.27.1, v2.28.1 and v2.29.3, is now available at the usual places. These maintenance releases are to addresses the security issues CVE-2021-21300. Please update. The credit for these releases all goes to Matheus Tavares and Johannes Schindelin. I didn't have to do anything but tagging their result, cutting releases, and sending out this announcement. The tarballs are found at: https://www.kernel.org/pub/software/scm/git/ The following public repositories all have a copy of the 'v2.30.2' tag and the 'maint' branch that the tag points at: url = https://kernel.googlesource.com/pub/scm/git/git url = git://repo.or.cz/alt-git.git url = https://github.com/gitster/git ---------------------------------------------------------------- Git v2.30.2 Release Notes ========================= This release merges up the fixes that appear in v2.17.6, v2.18.5, v2.19.6, v2.20.5, v2.21.4, v2.22.5, v2.23.4, v2.24.4, v2.25.5, v2.26.3, v2.27.1, v2.28.1 and v2.29.3 to address the security issue CVE-2021-21300; see the release notes for these versions for details. ---------------------------------------------------------------- Git v2.17.6 Release Notes ========================= This release addresses the security issues CVE-2021-21300. Fixes since v2.17.5 ------------------- * CVE-2021-21300: On case-insensitive file systems with support for symbolic links, if Git is configured globally to apply delay-capable clean/smudge filters (such as Git LFS), Git could be fooled into running remote code during a clone. Credit for finding and fixing this vulnerability goes to Matheus Tavares, helped by Johannes Schindelin.
reply other threads:[~2021-03-09 18:04 UTC|newest] Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=xmqqim6019yd.fsf@gitster.c.googlers.com \ --to=gitster@pobox.com \ --cc=git@vger.kernel.org \ --subject='Re: [ANNOUNCE] Git v2.30.2 and below for CVE-2021-21300' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).