corinthia-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <>
Subject Git Security Vulnerability (CVE-2014-9390)
Date Sat, 20 Dec 2014 21:19:33 GMT

The GitHub announcement was just reported widely via the O'Reilly network.

The vulnerability applies to GitHub for Windows and GitHub for Mac and the command-line git
they provide. 

According to the gmane announcement, this extends to TortoiseGit and to the custom Git client
introduced with Visual Studio 2013.  Git provided under MSYS[2], CygWin, and other bundlings
on Windows will also be vulnerable, especially via the use of "short names" such as "git~1".

In Apache Project Git repositories and their mirrors, it is useful to ensure that there are
no ambiguous git* names, including with differing capitalizations, and also no other names
that differ in case only.  "~" is best avoided altogether in repository file names. (Case-insensitive
collisions and some awkward characters (like ":") already cause problems in checkout and update
from ASF SVN to SVN working directories on Windows and perhaps Mac.)

 - Dennis

PS: I have managed to update my GitHub for Windows and confirmed that, running the Git Shell
on windows, the latest version seems to be running.  That is not the case for TortoiseGit
and MSYS2 so far, but I can do all of my Git work using GitHub for Windows.  I also updated
the Corinthia .gitignore to ignore all files with "~" in their names.

 -- Dennis E. Hamilton    +1-206-779-9430  PGP F96E 89FF D456 628A
    X.509 certs used and requested for signed e-mail

View raw message