Eclipse Community Forums: EGit / JGit » CVE-2023-4759 workaround for JGit 4.1.1

Home » Eclipse Projects » EGit / JGit » CVE-2023-4759 workaround for JGit 4.1.1(Is there a way to set core.symlinks to false using the API?)

CVE-2023-4759 workaround for JGit 4.1.1 [message #1871736]

Mon, 07 October 2024 10:02

Eclipse User

We're using JGit 4.1.1 and EGit 4.1.1. We can't upgrade for now to a never version. We stumbled upon the CVE-2023-4759 recently and are working towards remediating it.
The workaround is to set the 'core.symlinks' property to false. Is there a way to set this using the API?
I went through the code related to CoreConfig and CoreConfig.SymLinks classes, with no results.

Re: CVE-2023-4759 workaround for JGit 4.1.1 [message #1871754 is a reply to message #1871736]

Tue, 08 October 2024 04:10

Eclipse User

Ouch, 4.1.1 is 9 years old and we don't support such ancient versions.
You should really upgrade.

If you want to change git config programmatically you can load, modify and save it using the classes
org.eclipse.jgit.lib.StoredConfig and its base class org.eclipse.jgit.lib.Config.

This forum is deprecated hence in the future please use GitHub issues or discussions in our GitHub mirror https://github.com/eclipse-jgit/jgit
to report issues or start discussions. You can also use our mailing list.
See https://github.com/eclipse-egit/egit/wiki/Contributor-Guide

Re: CVE-2023-4759 workaround for JGit 4.1.1 [message #1871757 is a reply to message #1871754]

Tue, 08 October 2024 09:52

Eclipse User

Thank you for pointing me in the direction of these classes Matthias Sohn.

I guess my habit of posting on a forum, is at least as old, as the version of JGit we're using.

Previous Topic:	JGit orphan branch checkout
Next Topic:	Memory consumption for DirCacheCheckout

Goto Forum:

-=] Back to Top [=-

Current Time: Mon May 12 03:00:21 EDT 2025

.:: Contact :: Home ::.

Breadcrumbs

Sign up to our Newsletter