From 0114f71344844be9e5add321cffea34bac077d75 Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Tue, 22 May 2018 13:50:36 +0900 Subject: [PATCH] Git 2.13.7 Signed-off-by: Junio C Hamano --- Documentation/RelNotes/2.13.7.txt | 20 ++++++++++++++++++++ GIT-VERSION-GEN | 2 +- RelNotes | 2 +- 3 files changed, 22 insertions(+), 2 deletions(-) create mode 100644 Documentation/RelNotes/2.13.7.txt diff --git a/Documentation/RelNotes/2.13.7.txt b/Documentation/RelNotes/2.13.7.txt new file mode 100644 index 0000000000..09fc01406c --- /dev/null +++ b/Documentation/RelNotes/2.13.7.txt @@ -0,0 +1,20 @@ +Git v2.13.7 Release Notes +========================= + +Fixes since v2.13.6 +------------------- + + * Submodule "names" come from the untrusted .gitmodules file, but we + blindly append them to $GIT_DIR/modules to create our on-disk repo + paths. This means you can do bad things by putting "../" into the + name. We now enforce some rules for submodule names which will cause + Git to ignore these malicious names (CVE-2018-11235). + + Credit for finding this vulnerability and the proof of concept from + which the test script was adapted goes to Etienne Stalmans. + + * It was possible to trick the code that sanity-checks paths on NTFS + into reading random piece of memory (CVE-2018-11233). + +Credit for fixing for these bugs goes to Jeff King, Johannes +Schindelin and others. diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN index 3db6830bed..1534654ffc 100755 --- a/GIT-VERSION-GEN +++ b/GIT-VERSION-GEN @@ -1,7 +1,7 @@ #!/bin/sh GVF=GIT-VERSION-FILE -DEF_VER=v2.13.6 +DEF_VER=v2.13.7 LF=' ' diff --git a/RelNotes b/RelNotes index c2dd9dd6ad..a7f9eca981 120000 --- a/RelNotes +++ b/RelNotes @@ -1 +1 @@ -Documentation/RelNotes/2.13.6.txt \ No newline at end of file +Documentation/RelNotes/2.13.7.txt \ No newline at end of file -- 2.11.4.GIT