Bug#774050: CVE-2014-9390

2015-01-16 Thread Moritz Mühlenhoff 
On Tue, Dec 30, 2014 at 08:13:08AM -0800, tony mancill wrote:
> On 12/30/2014 05:18 AM, Emmanuel Bourg wrote:
> > Here are the relevant commits to backport:
> > 
> > Always ignore case when forbidding .git in ObjectChecker
> > https://github.com/eclipse/jgit/commit/07612a6
> > 
> > Disallow ".git." and ".git"
> > https://github.com/eclipse/jgit/commit/10310bf
> > 
> > Disallow Windows shortname "GIT~1"
> > https://github.com/eclipse/jgit/commit/a09b1b6
> > 
> > Disallow names potentially mapping to ".git" on HFS+
> > https://github.com/eclipse/jgit/commit/d476d2f
> 
> I spent some time looking at this too, but from the perspective of what
> upstream release branches have these commits.
> 
> They are on stable-3.4, which is version 3.4.2 (and is the closest to
> 3.4.0, which is what we have in jessie/sid), but upstream didn't apply
> them to stable-2.0 (wheezy).  So I think the patches will need to be
> cherry-picked or hand-applied to our source versions.
> 
> We'll also need to create security-${RELEASE} branches in the pkg-java
> repo for this, as 3.5.2 has already been staged on master.
> 
> I do wonder how many of our users are running case-insensitive file
> systems though...

Can we please get that fixed in jessie?

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#774050: CVE-2014-9390

2014-12-30 Thread tony mancill 
On 12/30/2014 05:18 AM, Emmanuel Bourg wrote:
> Here are the relevant commits to backport:
> 
> Always ignore case when forbidding .git in ObjectChecker
> https://github.com/eclipse/jgit/commit/07612a6
> 
> Disallow ".git." and ".git"
> https://github.com/eclipse/jgit/commit/10310bf
> 
> Disallow Windows shortname "GIT~1"
> https://github.com/eclipse/jgit/commit/a09b1b6
> 
> Disallow names potentially mapping to ".git" on HFS+
> https://github.com/eclipse/jgit/commit/d476d2f

I spent some time looking at this too, but from the perspective of what
upstream release branches have these commits.

They are on stable-3.4, which is version 3.4.2 (and is the closest to
3.4.0, which is what we have in jessie/sid), but upstream didn't apply
them to stable-2.0 (wheezy).  So I think the patches will need to be
cherry-picked or hand-applied to our source versions.

We'll also need to create security-${RELEASE} branches in the pkg-java
repo for this, as 3.5.2 has already been staged on master.

I do wonder how many of our users are running case-insensitive file
systems though...

tony




signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#774050: CVE-2014-9390

2014-12-30 Thread Emmanuel Bourg 
Here are the relevant commits to backport:

Always ignore case when forbidding .git in ObjectChecker
https://github.com/eclipse/jgit/commit/07612a6

Disallow ".git." and ".git"
https://github.com/eclipse/jgit/commit/10310bf

Disallow Windows shortname "GIT~1"
https://github.com/eclipse/jgit/commit/a09b1b6

Disallow names potentially mapping to ".git" on HFS+
https://github.com/eclipse/jgit/commit/d476d2f

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#774050: CVE-2014-9390

2014-12-27 Thread Moritz Muehlenhoff 
Source: jgit
Severity: important
Tags: security

jgit is also affected by the recent git vulnerability:
http://openwall.com/lists/oss-security/2014/12/18/21

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.