Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[cross-project-issues-dev] FYI: Luna SR1a - JGit client vulnerability in Eclipse (CVE-2014-9390)

Posting to cross-project. Many thanks to Markus and David for making a fix happen in the packages and simrel.

-------- Forwarded Message --------
Subject: 	[epp-dev] FYI: Luna SR1a - JGit client vulnerability in
Eclipse (CVE-2014-9390)
Date: 	Fri, 9 Jan 2015 17:20:45 +0100
From: 	Markus Knauer <mknauer@xxxxxxxxxxxxxxxxx>
Reply-To: 	Eclipse Packaging Project <epp-dev@xxxxxxxxxxx>
To: 	EPP Developer Mailing List <epp-dev@xxxxxxxxxxx>

Hi all (and a Happy New Year to everyone!)

Some days before Christmas a discussion about a Git vulnerability [1]
had been started on the Committers mailing list [2]. Fortunately the
JGit team was extremely responsive and had a fix available shortly
after. Since then the issue has been discussed in the Planning Council
call this week [3] and in many mails. Others have already updated their
products (e.g. Gerrit 2.9.4 and most Linux distros), or are in the
process of updating (e.g. Netbeans nightly builds).

In order to address this issue as quick as possible and as smooth as
possible for our users, I've created updated Luna SR1a packages that
contain the updated JGit/EGit 3.4.2. This build is based on an updated
p2 repository that David created yesterday. The plan is to roll out the
packages and the updated p2 repositories on Monday.

All details and the progress is documented in this bug:

*Bug 456947* <>
-JGit client vulnerability in Eclipse (CVE-2014-9390)

Luna SR1a build:

Luna SR1a p2 update test repositories:

Thanks and regards,


epp-dev mailing list
To change your delivery options, retrieve your password, or unsubscribe from this list, visit

Back to the top