<https://github.com/blog/1938-vulnerability-announced-update-your-git-clients>
<http://article.gmane.org/gmane.linux.kernel/1853266>
The GitHub announcement was just reported widely via the O'Reilly network.
The vulnerability applies to GitHub for Windows and GitHub for Mac and the
command-line git they provide.
According to the gmane announcement, this extends to TortoiseGit and to the
custom Git client introduced with Visual Studio 2013. Git provided under
MSYS[2], CygWin, and other bundlings on Windows will also be vulnerable,
especially via the use of "short names" such as "git~1".
In Apache Project Git repositories and their mirrors, it is useful to ensure
that there are no ambiguous git* names, including with differing
capitalizations, and also no other names that differ in case only. "~" is best
avoided altogether in repository file names. (Case-insensitive collisions and
some awkward characters (like ":") already cause problems in checkout and
update from ASF SVN to SVN working directories on Windows and perhaps Mac.)
- Dennis
PS: I have managed to update my GitHub for Windows and confirmed that, running
the Git Shell on windows, the latest version seems to be running. That is not
the case for TortoiseGit and MSYS2 so far, but I can do all of my Git work
using GitHub for Windows. I also updated the Corinthia .gitignore to ignore
all files with "~" in their names.
-- Dennis E. Hamilton
[email protected]
[email protected] +1-206-779-9430
https://keybase.io/orcmid PGP F96E 89FF D456 628A
X.509 certs used and requested for signed e-mail
