This is the mail archive of the
cygwin-announce
mailing list for the Cygwin project.
Security update: Git v2.14.1-1
- From: Adam Dinwoodie <adam at dinwoodie dot org>
- To: cygwin-announce at cygwin dot com
- Date: Mon, 14 Aug 2017 09:33:24 +0100
- Subject: Security update: Git v2.14.1-1
- Authentication-results: sourceware.org; auth=none
- Reply-to: The Cygwin Mailing List <cygwin at cygwin dot com>
Version 2.14.1-1 of Git has been uploaded and should be coming soon to a
mirror near you. This update includes the following packages:
- git
- git-cvs
- git-debuginfo
- git-email
- git-gui
- gitk
- git-p4
- git-svn
This is an update to the latest upstream release, which specifically
fixes CVE-2017-1000117, where a malicious "ssh://..." URL, including one
specified in a .gitmodules file and thus parsed as part of `git clone
--recurse-submodules` or similar, could result in an arbitrary
executable being run on the client system.
For a full list of the upstream changes in this release, please refer to
the upstream changelogs:
https://git.kernel.org/cgit/git/git.git/tree/Documentation/RelNotes
https://kernel.googlesource.com/pub/scm/git/git.git/+/master/Documentation/RelNotes/
https://github.com/gitster/git/tree/master/Documentation/RelNotes
Enjoy!
Adam