X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:references:in-reply-to:from:date
	:message-id:subject:to:content-type; q=dns; s=default; b=l8PuacO
	TZVTR2uQ0NhMgjXImPC7QuqZejPIX6phMgBnexl6J+CFuTf3mC7h3e7rAicqCgd0
	pppik10SmyvToSYulRG34z9zKYG9fwBW2liEg5HiEhhBPwnlPTQITt8/4eAFhQho
	S9+rLUg0445fMtnZxrAZRaaYAo23O58BwCaQ=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:references:in-reply-to:from:date
	:message-id:subject:to:content-type; s=default; bh=Ysjn0MGRJmfoX
	kqzsuwU+9+Ge/g=; b=jmmeDIn9u6tUJBXKGtLhH7T614Ll4rFJ8k0q9HzeZePwW
	dl3hPEmb39bm5PiiOJgM91tTBIbUWyYEEYyK+oMDElz3XyE4Ova2HB41Sgs2l/cD
	AryBMvYIrmRIvZduLbtfoKuSrhbpMn1pNXWu7spcgVugeRkL/eMymsLcVaUuFc=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-1.1 required=5.0 tests=AWL,BAYES_00,KAM_NUMSUBJECT,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=no version=3.3.2 spammy=forth, life, personal
X-HELO: mail-oi0-f45.google.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;        d=dinwoodie.org; s=google;        h=mime-version:references:in-reply-to:from:date:message-id:subject:to;        bh=bxwflSbD8OxtLpJ/FsZTAZGPigVC/FqMTIbD/cNaXHE=;        b=dxDmEwy+oNzlyjVHOemKBGvAjQ0/VabM77R4ivuZBCexihXxwlTiU2IBfy11IjD93m         8EpT4IMvFgMos94xDS+MXzrJfZlrNMfEDLvH8j0ik6NEt5C53Qx7p0qVomAdBJPg7jyF         GAHZpWSs4noFX0krPbd2JtzezIoWGNDtCaRtY=
MIME-Version: 1.0
References: <20180719165604 DOT 7996 DOT F7B0B048 AT k7i DOT jp>
In-Reply-To: <20180719165604.7996.F7B0B048@k7i.jp>
From: Adam Dinwoodie <adam AT dinwoodie DOT org>
Date: Thu, 19 Jul 2018 13:38:51 +0100
Message-ID: <CA+kUOamqSYO7Z=0hsZrRsEqBpDFvG_JYc1vwyaTahTWh9iUxLw@mail.gmail.com>
Subject: Re: Question on CVE-2018-11235
To: cygwin AT cygwin DOT com
Content-Type: text/plain; charset="UTF-8"
X-IsSubscribed: yes

On Thu, 19 Jul 2018 at 08:56, Akihiko Kawaguchi wrote:
> Hello,
>
> Does anyone know when git client package to fix the following
> vulnerability will be released for Cygwin?
>
>     https://nvd.nist.gov/vuln/detail/CVE-2018-11235
>
> Currently, all the versions I can choose on Cygwin installer are
> 2.16.1-1, 2.16.2-1 or 2.17.0-1.

I'm afraid personal life has got in the way of me producing a more
up-to-date version of Git since the versions you've found. I'll
produce a new release when I get the chance, but I don't want to
commit to any particular dates at this point.

In the meantime, I'd suggest either not cloning untrusted repositories
while using the `--recurse-submodules` option (or, as general security
practice, not cloning untrusted repositories at all), or compiling Git
locally yourself.

As a general point, if people want to compile Git themselves, it's
normally straightforward, either using the upstream Git sources, or
using the Cygport packaging sources from
https://github.com/me-and/Cygwin-Git. I only haven't released it
myself because I have a higher bar for making sure the test suite
passes and so forth for something that'll be used by a significant
chunk of the Cygwin user base, than for something that's only going to
be used by me.

Adam
Your local friendly Git package maintainer

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple