Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » EGit / JGit » security-fix for CVE-2014-9390(How do we upgrade or patch Egit for the Git Vunerability)
security-fix for CVE-2014-9390 [message #1537258] Tue, 30 December 2014 18:44 Go to next message
Fred Sawyer is currently offline Fred SawyerFriend
Messages: 2
Registered: December 2014
Junior Member
From 12-18-2014
http://article.gmane.org/gmane.linux.kernel/1853266

What is the best course of action to patch or upgrade egit for this listed vulnerability?

[Updated on: Tue, 30 December 2014 19:28] by Moderator

Report message to a moderator

Re: security-fix for CVE-2014-9390 [message #1537638 is a reply to message #1537258] Tue, 30 December 2014 23:44 Go to previous messageGo to next message
Matthias Sohn is currently offline Matthias SohnFriend
Messages: 1268
Registered: July 2009
Senior Member
upgrade JGit & EGit to 3.4.2, 3.5.3 or 3.6.0

https://projects.eclipse.org/projects/technology.egit/releases/3.4.2
https://projects.eclipse.org/projects/technology.egit/releases/3.5.3
https://projects.eclipse.org/projects/technology.egit/releases/3.6.0

Report message to a moderator

Re: security-fix for CVE-2014-9390 [message #1538862 is a reply to message #1537638] Wed, 31 December 2014 16:11 Go to previous messageGo to next message
Fred Sawyer is currently offline Fred SawyerFriend
Messages: 2
Registered: December 2014
Junior Member
Awesome! Thanks for the quick reply. Happy New Year's!

Report message to a moderator

Re: security-fix for CVE-2014-9390 [message #1561779 is a reply to message #1538862] Tue, 13 January 2015 09:42 Go to previous messageGo to next message
Markus Knauer is currently offline Markus KnauerFriend
Messages: 179
Registered: July 2009
Senior Member
We rolled out this security fix for Eclipse Luna yesterday. It is now possible to use 'Help' > 'Check for Updates' to upgrade an Eclipse Luna (4.4.x) based installation to Luna SR1a.

See the annoucement "Eclipse Ships Luna SR1a Git Security Release" in Mike's blog.

Regards,
Markus

Report message to a moderator

Re: security-fix for CVE-2014-9390 [message #1562194 is a reply to message #1561779] Tue, 13 January 2015 14:59 Go to previous messageGo to next message
kurt Mising name is currently offline kurt Mising nameFriend
Messages: 15
Registered: July 2009
Junior Member
Will you provide that on http://download.eclipse.org/eclipse/downloads/ also ?

Report message to a moderator

Re: security-fix for CVE-2014-9390 [message #1562240 is a reply to message #1562194] Tue, 13 January 2015 15:35 Go to previous messageGo to next message
Markus Knauer is currently offline Markus KnauerFriend
Messages: 179
Registered: July 2009
Senior Member
Quote:
Will you provide that on http://download.eclipse.org/eclipse/downloads/ also ?


That's not required because JGit/EGit isn't included in those downloads.

Regards,
Markus

Report message to a moderator

Re: security-fix for CVE-2014-9390 [message #1563507 is a reply to message #1562240] Wed, 14 January 2015 08:34 Go to previous messageGo to next message
kurt Mising name is currently offline kurt Mising nameFriend
Messages: 15
Registered: July 2009
Junior Member
Sorry - yes - it came to my mind as soon as I pushed the button Wink

Another question:

Is E/JGit 3.6.1 compatible with Luna 4.4.1 ?

Or do we have to stick on E/JGit 3.4.x ?

Thanks
Kurt

Report message to a moderator

Re: security-fix for CVE-2014-9390 [message #1563528 is a reply to message #1563507] Wed, 14 January 2015 08:49 Go to previous messageGo to next message
Markus Knauer is currently offline Markus KnauerFriend
Messages: 179
Registered: July 2009
Senior Member
Quote:
Is E/JGit 3.6.1 compatible with Luna 4.4.1 ?
Or do we have to stick on E/JGit 3.4.x ?


I haven't tried it myself but according to David's mail on cross-project-issues-dev newer versions should be compatible.

[cross-project-issues-dev] Luna SR1a is now available for JGit security fix (CVE-2014-9390)

3.6.1 isn't listed in the mail but since it is only a point release with bugfixes I assume it is compatible.

Regards,
Markus

Report message to a moderator

Re: security-fix for CVE-2014-9390 [message #1565688 is a reply to message #1563528] Thu, 15 January 2015 12:22 Go to previous message
Matthias Sohn is currently offline Matthias SohnFriend
Messages: 1268
Registered: July 2009
Senior Member
Yes 3.6.1 is compatible with 4.4.1, the supported Eclipse versions are listed here
https://wiki.eclipse.org/EGit/FAQ#What_versions_of_Eclipse_does_EGit_target.3F

Report message to a moderator

Previous Topic:How to avoid eclipse setting files while git rebase?
Next Topic:insert git head into code
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Fri Apr 26 01:30:29 GMT 2024

Powered by FUDForum. Page generated in 0.03342 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top

Sign up to our Newsletter

A fresh new issue delivered monthly