You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@corinthia.apache.org by "Dennis E. Hamilton" <or...@apache.org> on 2014/12/20 22:19:33 UTC

Git Security Vulnerability (CVE-2014-9390)

<https://github.com/blog/1938-vulnerability-announced-update-your-git-clients>
<http://article.gmane.org/gmane.linux.kernel/1853266>

The GitHub announcement was just reported widely via the O'Reilly network.

The vulnerability applies to GitHub for Windows and GitHub for Mac and the command-line git they provide.

According to the gmane announcement, this extends to TortoiseGit and to the custom Git client introduced with Visual Studio 2013. Git provided under MSYS[2], CygWin, and other bundlings on Windows will also be vulnerable, especially via the use of "short names" such as "git~1".

In Apache Project Git repositories and their mirrors, it is useful to ensure that there are no ambiguous git* names, including with differing capitalizations, and also no other names that differ in case only. "~" is best avoided altogether in repository file names. (Case-insensitive collisions and some awkward characters (like ":") already cause problems in checkout and update from ASF SVN to SVN working directories on Windows and perhaps Mac.)

- Dennis

PS: I have managed to update my GitHub for Windows and confirmed that, running the Git Shell on windows, the latest version seems to be running. That is not the case for TortoiseGit and MSYS2 so far, but I can do all of my Git work using GitHub for Windows. I also updated the Corinthia .gitignore to ignore all files with "~" in their names.

-- Dennis E. Hamilton
orcmid@apache.org
dennis.hamilton@acm.org +1-206-779-9430
https://keybase.io/orcmid PGP F96E 89FF D456 628A
X.509 certs used and requested for signed e-mail