diff options
Diffstat (limited to 'third_party/git/Documentation/RelNotes/2.13.7.txt')
-rw-r--r-- | third_party/git/Documentation/RelNotes/2.13.7.txt | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/third_party/git/Documentation/RelNotes/2.13.7.txt b/third_party/git/Documentation/RelNotes/2.13.7.txt new file mode 100644 index 000000000000..09fc01406c7c --- /dev/null +++ b/third_party/git/Documentation/RelNotes/2.13.7.txt @@ -0,0 +1,20 @@ +Git v2.13.7 Release Notes +========================= + +Fixes since v2.13.6 +------------------- + + * Submodule "names" come from the untrusted .gitmodules file, but we + blindly append them to $GIT_DIR/modules to create our on-disk repo + paths. This means you can do bad things by putting "../" into the + name. We now enforce some rules for submodule names which will cause + Git to ignore these malicious names (CVE-2018-11235). + + Credit for finding this vulnerability and the proof of concept from + which the test script was adapted goes to Etienne Stalmans. + + * It was possible to trick the code that sanity-checks paths on NTFS + into reading random piece of memory (CVE-2018-11233). + +Credit for fixing for these bugs goes to Jeff King, Johannes +Schindelin and others. |