Git Mailing List Archive on lore.kernel.org
 help / color / Atom feed
* [ANNOUNCE] Git v2.30.2 and below for CVE-2021-21300
@ 2021-03-09 18:03 Junio C Hamano
  0 siblings, 0 replies; only message in thread
From: Junio C Hamano @ 2021-03-09 18:03 UTC (permalink / raw)
  To: git

The latest maintenance release Git v2.30.2, together with releases
for older maintenance tracks v2.17.6, v2.18.5, v2.19.6, v2.20.5,
v2.21.4, v2.22.5, v2.23.4, v2.24.4, v2.25.5, v2.26.3, v2.27.1,
v2.28.1 and v2.29.3, is now available at the usual places.

These maintenance releases are to addresses the security issues
CVE-2021-21300.  Please update.

The credit for these releases all goes to Matheus Tavares and
Johannes Schindelin.  I didn't have to do anything but tagging their
result, cutting releases, and sending out this announcement.

The tarballs are found at:

    https://www.kernel.org/pub/software/scm/git/

The following public repositories all have a copy of the 'v2.30.2'
tag and the 'maint' branch that the tag points at:

  url = https://kernel.googlesource.com/pub/scm/git/git
  url = git://repo.or.cz/alt-git.git
  url = https://github.com/gitster/git

----------------------------------------------------------------

Git v2.30.2 Release Notes
=========================

This release merges up the fixes that appear in v2.17.6, v2.18.5,
v2.19.6, v2.20.5, v2.21.4, v2.22.5, v2.23.4, v2.24.4, v2.25.5,
v2.26.3, v2.27.1, v2.28.1 and v2.29.3 to address the security
issue CVE-2021-21300; see the release notes for these versions
for details.

----------------------------------------------------------------

Git v2.17.6 Release Notes
=========================

This release addresses the security issues CVE-2021-21300.

Fixes since v2.17.5
-------------------

 * CVE-2021-21300:
   On case-insensitive file systems with support for symbolic links,
   if Git is configured globally to apply delay-capable clean/smudge
   filters (such as Git LFS), Git could be fooled into running
   remote code during a clone.

Credit for finding and fixing this vulnerability goes to Matheus
Tavares, helped by Johannes Schindelin.

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-09 18:03 [ANNOUNCE] Git v2.30.2 and below for CVE-2021-21300 Junio C Hamano

Git Mailing List Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/git/0 git/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 git git/ https://lore.kernel.org/git \
		git@vger.kernel.org
	public-inbox-index git

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.git


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git