==================================================================== CERT-Renater Note d'Information No. 2018/VULN198 _____________________________________________________________________ DATE : 30/05/2018 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Git versions prior to 2.17.1, 2.13.7, 2.14.4, 2.15.2, 2.16.4. ===================================================================== https://marc.info/?l=git&m=152761328506724&w=2 https://github.com/git/git/blob/master/Documentation/RelNotes/2.17.1.txt https://groups.google.com/forum/#!topic/git-for-windows/xIhDD89WSEs _____________________________________________________________________ The latest maintenance release Git v2.17.1 and updates to older maintenance tracks are now available at the usual places. The tarballs are found at: https://www.kernel.org/pub/software/scm/git/ The following public repositories all have a copy of the 'v2.17.1' tag and the 'maint' branch that the tag points at, as well as the v2.13.7, v2.14.4, v2.15.2 and v2.16.4 tags: url = https://kernel.googlesource.com/pub/scm/git/git url = git://repo.or.cz/alt-git.git url = https://github.com/gitster/git ---------------------------------------------------------------- Git v2.17.1 Release Notes ========================= Fixes since v2.17 ----------------- * This release contains the same fixes made in the v2.13.7 version of Git, covering CVE-2018-11233 and 11235, and forward-ported to v2.14.4, v2.15.2 and v2.16.4 releases. See release notes to v2.13.7 for details. * In addition to the above fixes, this release adds support on the server side that reject pushes to repositories that attempt to create such problematic .gitmodules file etc. as tracked contents, to help hosting sites protect their customers with older clients by preventing malicious contents from spreading. This is enabled by the same receive.fsckObjects configuration on the server side as other security and sanity related checks (e.g. rejecting tree entry ".GIT" in a wrong case as tracked contents, targetting victims on case insensitive systems) that have already been implemented in the past releases. It is recommended to double check your configuration if you are hosting contents for other people. Git v2.13.7 Release Notes ========================= Fixes since v2.13.6 ------------------- * Submodule "names" come from the untrusted .gitmodules file, but we blindly append them to $GIT_DIR/modules to create our on-disk repo paths. This means you can do bad things by putting "../" into the name. We now enforce some rules for submodule names which will cause Git to ignore these malicious names (CVE-2018-11235). Credit for finding this vulnerability and the proof of concept from which the test script was adapted goes to Etienne Stalmans. * It was possible to trick the code that sanity-checks paths on NTFS into reading random piece of memory (CVE-2018-11233). Credit for fixing for these bugs goes to Jeff King, Johannes Schindelin and others. ________________________________________________________________________ Dear Git users, It is my pleasure to announce that Git for Windows 2.17.1(2) is available from: https://gitforwindows.org/ Changes since Git for Windows v2.17.0 (April 3rd 2018) New Features * Comes with Git v2.17.1. * Comes with Perl v5.26.2. * The installer now offers VS Code Insiders as option for Git's default editor if it is installed. * The vim configuration was modernized. * Certain errors, e.g. when pushing failed due to a non-fast-forwarding change, are now colorful. * Comes with cURL v7.60.0. * Comes with Git Credential Manager v1.16.1. * Comes with Git LFS v2.4.2. Bug Fixes * Fixed an issue with recursive clone (CVE 2018-11235). * This release really contains Git v2.17.1 (due to a bug in the release automation, Git for Windows v2.17.1 did not actually include Git v2.17.1). * Aliases that expand to shell commands can now take arguments containing curly brackets. * Ctrl+C is now handled in Git Bash in a sophisticated way: it emulates the way Ctrl+C is handled in Git CMD, but in a fine-grained way. * Based on the the new Ctrl+C handling in Git Bash, pressing Ctrl+C while git log is running will only stop Git from traversing the commit history, but keep the pager running. * Git was fixed to work correctly in Docker volumes inside Windows containers. * Tab completion of git status -- is now a lot faster. * Git for Windows now creates directory symlinks correctly when asked to. * The option to disable revocation checks with Secure Channel which was introduced in v2.16.1(2) now really works. * Git no longer enters an infinite loop when misspelling git status as, say, git Status.' Filename | SHA-256 -------- | ------- Git-2.17.1.2-64-bit.exe | 64a44bf936dfb1af0ca8b84d5e9accb138452f1fa40030706964c3bbd9e1c69b Git-2.17.1.2-32-bit.exe | 5dca054b53a2b38fbfc35f7b2390462d81f9ee62fa38b6f47d2d77365ab7f84a PortableGit-2.17.1.2-64-bit.7z.exe | 5664ee470caf44743be1514c71f77cb8ac360dd69a667e6dd668cc6531acb8ba PortableGit-2.17.1.2-32-bit.7z.exe | 74ef9dce2a185535dc5cbe7d53076df8558d739f29721be33b894d21b653f194 MinGit-2.17.1.2-64-bit.zip | 52e611a411cd58eaaab8218bb917cb4410b0c5733f234be6e581c6a9821b30ea MinGit-2.17.1.2-32-bit.zip | 8ab37946bef8955a65f907d82483cb8a457f7404061ca59b8399d3623e9e691b MinGit-2.17.1.2-busybox-64-bit.zip | f3aa489a67a600aefa8f20ee55f8977319bd3da568afaaadcd1b2e2cf21c575c MinGit-2.17.1.2-busybox-32-bit.zip | 7c335e5ecd340a2980c9003bf8fefd73eb9553636c41ff1f9eae5dbb29bf6dde Git-2.17.1.2-64-bit.tar.bz2 | b88192b92653df7bac19c87b18954ee5e1f513176633aca5ba0deaf51ad6e6f8 Git-2.17.1.2-32-bit.tar.bz2 | 4b284737e18d84b8a12b5138068f4fda7f9df93fa18ff5cde02d2b321cd943e5 pdbs-for-git-64-bit-2.17.1.2.a60968cf43-1.zip | b0e9961eab08a57a8a0f08620ea50cd4984c6f6f8bb48d66f3cfb872d9fea078 pdbs-for-git-32-bit-2.17.1.2.a60968cf43-1.zip | d902b96c155b243f4c8fa41056304ab6bc77763a1adef520a41cee97ca5f98c7 Ciao, Johannes ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================