| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| X-Original-To: | cygwin AT cygwin DOT com |
| Delivered-To: | cygwin AT cygwin DOT com |
| DMARC-Filter: | OpenDMARC Filter v1.4.1 sourceware.org 05E713858D39 |
| Authentication-Results: | sourceware.org; |
| dmarc=none (p=none dis=none) header.from=dinwoodie.org | |
| Authentication-Results: | sourceware.org; spf=pass smtp.mailfrom=dinwoodie.org |
| Date: | Wed, 19 Oct 2022 12:58:38 +0100 |
| From: | Adam Dinwoodie <adam AT dinwoodie DOT org> |
| To: | cygwin AT cygwin DOT com |
| Subject: | [ANNOUNCEMENT] Security update: Git v2.38.1 |
| Message-Id: | <announce.20221019115838.iuztckl46ehzwv3b@lucy.dinwoodie.org> |
| MIME-Version: | 1.0 |
| X-Spam-Status: | No, score=-1.6 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, |
| KAM_NUMSUBJECT, SPF_HELO_NONE, SPF_PASS, | |
| TXREP autolearn=no autolearn_force=no version=3.4.6 | |
| X-Spam-Checker-Version: | SpamAssassin 3.4.6 (2021-04-09) on |
| server2.sourceware.org | |
| X-BeenThere: | cygwin-announce AT cygwin DOT com |
| X-Mailman-Version: | 2.1.29 |
| X-Mailer: | Perl5 Mail::Internet v2.20 |
| X-BeenThere: | cygwin AT cygwin DOT com |
| List-Id: | General Cygwin discussions and problem reports <cygwin.cygwin.com> |
| List-Archive: | <https://cygwin.com/pipermail/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-request AT cygwin DOT com?subject=help> |
| List-Subscribe: | <https://cygwin.com/mailman/listinfo/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=subscribe> | |
| Reply-To: | cygwin AT cygwin DOT com |
| Sender: | "Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com> |
Version 2.38.1-1 of Git has been uploaded to the Cygwin distribution servers, and should be coming soon to a mirror near you. Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency. This is an update to the latest upstream release, and includes the following packages: - git - git-cvs - git-debuginfo - git-email - git-gui - gitk - git-p4 - git-svn Selected extracts from the changelog: > This release addresses the security issues CVE-2022-39253 and > CVE-2022-39260. > > * CVE-2022-39253: > When relying on the `--local` clone optimization, Git dereferences > symbolic links in the source repository before creating hardlinks > (or copies) of the dereferenced link in the destination repository. > This can lead to surprising behavior where arbitrary files are > present in a repository's `$GIT_DIR` when cloning from a malicious > repository. > > Git will no longer dereference symbolic links via the `--local` > clone mechanism, and will instead refuse to clone repositories that > have symbolic links present in the `$GIT_DIR/objects` directory. > > Additionally, the value of `protocol.file.allow` is changed to be > "user" by default. > > * CVE-2022-39260: > An overly-long command string given to `git shell` can result in > overflow in `split_cmdline()`, leading to arbitrary heap writes and > remote code execution when `git shell` is exposed and the directory > `$HOME/git-shell-commands` exists. > > `git shell` is taught to refuse interactive commands that are > longer than 4MiB in size. `split_cmdline()` is hardened to reject > inputs larger than 2GiB. For a full list of the upstream changes in this release, please refer to the upstream changelogs: https://git.kernel.org/cgit/git/git.git/tree/Documentation/RelNotes https://kernel.googlesource.com/pub/scm/git/git.git/+/master/Documentation/RelNotes/ https://github.com/git/git/tree/master/Documentation/RelNotes Enjoy! Adam -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |