Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[cross-project-issues-dev] Luna SR1a is now available for JGit security fix (CVE-2014-9390)

I hope most readers of this list have already applied the fix! But, in case not, now's a good time. Plus, good time to "socialize" the fix, since us having the fix ready does no good, if users and adoptersand distributions such as Ubuntu do not pick up the fix.

While the JGit team has had the fix available since December 18th, it was thought important enough to make easily available for those using EPP packages to get via automatic
"check for updates" functionality and not to wait for SR2. (And, end of year holidays caused a little delay in us having it ready). Our "Sim. Release" activities are documented in bug 456947, which has pointers to original bug and more details about the issue.

Bug 456947 - JGit client vulnerability in Eclipse (CVE-2014-9390)

If users or adopters or distributors have installations older than Luna, the advice is to add a more recent EGit/JGit release to their installation by using one of the following update sites. They should all be compatible with releases back to at least Juno.

The first one in list, is the one closest to "Luna" and what you get if you simply "check for updates" from a Luna install. Some with older installs might feel safest with it, since it has been in the field the longest, but the newer ones are also considered stable, and perhaps better since they have new function and more functional fixes.
 https://projects.eclipse.org/projects/technology.egit/releases/3.4.2
 https://projects.eclipse.org/projects/technology.egit/releases/3.5.3
 https://projects.eclipse.org/projects/technology.egit/releases/3.6.0

Great thanks to
 a) the JGit team -- Shawn Pearce, Christian Halstrick, and Mattias Sohn, to name a few, who implemented the fix, working with their colleagues in Git, Mercurial, and others Git based projects.
 b) the Eclipse Foundation -- Denis Roy and and Christopher Guindon -- for supporting the roll-out.  
 c) EclipseSource -- Markus Knauer -- for creating the "EPP repo and packages" part of the fix.
 d) and, well, IBM for allowing me time to work on it!

Good luck ... now, on to SR2!


Back to the top