X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:reply-to:mime-version:to
	:subject:references:in-reply-to:content-type
	:content-transfer-encoding; q=dns; s=default; b=nz+iFHuUGV6JTu4O
	442N/jFxVQ1cAtBWXHUvpv67v1KqXiIrQGabytX4EzJZPplRz94CdPj2w3n468TA
	xEwlcXwOO9owf0zhIRMzRU1Oiu9hOX7leEhO9Bvfy0K6JXT0pbZHl+hpRvWHWVpl
	sOikm43WJbia9dF0PTws6oaGPcg=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:reply-to:mime-version:to
	:subject:references:in-reply-to:content-type
	:content-transfer-encoding; s=default; bh=O/LFxGhyX7hNBbbyJV2RtK
	9rfgA=; b=Xmn9Y+hBJ2uAJbSY4tknbTTaoAIOE6drMffmHx5ofT/FD+9IEflqKq
	M3ve9TbxE9wPdnkxdRzwGRBaGKsKObP/pQCINp3bXgoAU3uAMFIfISjP/AegXq6J
	yUf1pN8w2vN1r4iRm3sVdQ2Ts+doBvB4qqVh/Tw39XP75iHWZU7N0=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-2.7 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_LOW,T_RP_MATCHES_RCVD autolearn=ham version=3.3.2
X-HELO: csmail.cs.umass.edu
Message-ID: <54983553.7070103@cs.umass.edu>
Date: Mon, 22 Dec 2014 10:14:27 -0500
From: Eliot Moss <moss AT cs DOT umass DOT edu>
Reply-To: moss AT cs DOT umass DOT edu
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: Major Git vulnerability announced; when can we expect an update to the Cygwin git package?
References: <CAKL2AYOa3LNYC7xgg_8xUqiej10X47HUB4QQK5xUnJZR7mn_Eg AT mail DOT gmail DOT com> <20141222120629 DOT GA20436 AT dinwoodie DOT org>
In-Reply-To: <20141222120629.GA20436@dinwoodie.org>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes

On 12/22/2014 7:06 AM, Adam Dinwoodie wrote:
> On Thu, Dec 18, 2014 at 03:50:52PM -0800, Richard Mehlinger wrote:
>> Git has announced a major vulnerability, allowing attackers to set up
>> a malicious git repository that can be used to take over a client
>> computer: https://github.com/blog/1938-vulnerability-announced-update-your-git-clients.
>> Maintenance releases are already out for current Git versions.
>>
>> My question is: When can we expect an update to the Cygwin git package
>> to address these concerns?
>
> I'm aware of the vulnerability and intend to publish a new package as
> soon as possible.  A combination of the holiday period, technical
> problems and assorted other real life is making this more difficult than
> I would like, but I expect to get it released by 11 January at the
> absolute latest, and hopefully much sooner than that.

Meanwhile, if you're concerned, I found that the latest git from github
built and installed (to /usr/local/bin, etc.) quite easily.

Regards -- Eliot Moss

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple