Errors in handling case-sensitive directories allow for remote code execution on pull

Asked by Luke Faraone on 2014-12-18

From the upstream announcement[1]:

This is a security-fix for CVE-2014-9390, which affects users on
Windows and Mac OS X but not typical UNIX users. A set of new
releases for older maintenance tracks (v1.8.5.6, v1.9.5, v2.0.5, and
v2.1.4) are published at the same time and they contain the same fix.
Various implementations and ports, including Git for Windows, Git OS
X installer, JGit & EGit, libgit2 (and Visual Studio which uses it)
have been updated at the same time.

Even though the issue may not affect Linux users, if you are a
hosting service whose users may fetch from your service to Windows
or Mac OS X machines, you are strongly encouraged to update to
protect such users who use existing versions of Git.

This issue also affects hg[2].

[1]: http://article.gmane.org/gmane.linux.kernel/1853266
[2]: http://mercurial.selenic.com/wiki/WhatsNew#Mercurial_3.2.3_.282014-12-18.29

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu git Edit question
Assignee:
No assignee Edit question
Last query:
2014-12-18
Last reply:
2014-12-19

If you have reported the bug...why do you think you need to post a question as well. Especially when you haven't actually asked a question.

Please close this and it will keep all efforts on the bug where it belongs.

Thanks

Can you help with this problem?

Provide an answer of your own, or ask Luke Faraone for more information if necessary.

To post a message you must log in.