<https://github.com/blog/1938-vulnerability-announced-update-your-git-clients> <http://article.gmane.org/gmane.linux.kernel/1853266>
The GitHub announcement was just reported widely via the O'Reilly network. The vulnerability applies to GitHub for Windows and GitHub for Mac and the command-line git they provide. According to the gmane announcement, this extends to TortoiseGit and to the custom Git client introduced with Visual Studio 2013. Git provided under MSYS[2], CygWin, and other bundlings on Windows will also be vulnerable, especially via the use of "short names" such as "git~1". In Apache Project Git repositories and their mirrors, it is useful to ensure that there are no ambiguous git* names, including with differing capitalizations, and also no other names that differ in case only. "~" is best avoided altogether in repository file names. (Case-insensitive collisions and some awkward characters (like ":") already cause problems in checkout and update from ASF SVN to SVN working directories on Windows and perhaps Mac.) - Dennis PS: I have managed to update my GitHub for Windows and confirmed that, running the Git Shell on windows, the latest version seems to be running. That is not the case for TortoiseGit, MSYS2, and Visual Studio so far, but I can do all of my Git work using GitHub for Windows. I also updated the Corinthia .gitignore to ignore all files with "~" in their names. PPS: The CVE is not available at Mitre just yet, although there are other reports about it, <http://www.bing.com/search?q=cve-2014-9390>. -- Dennis E. Hamilton [email protected] [email protected] +1-206-779-9430 https://keybase.io/orcmid PGP F96E 89FF D456 628A X.509 certs used and requested for signed e-mail --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
