I hope most readers of this list have already
applied the fix! But, in case not, now's a good time. Plus, good time to
"socialize" the fix, since us having the fix ready does no good,
if users and adoptersand distributions such as Ubuntu do not pick up the
While the JGit team has had the fix
available since December 18th, it was thought important enough to make
easily available for those using EPP packages to get via automatic
"check for updates" functionality
and not to wait for SR2. (And, end of year holidays caused a little delay
in us having it ready). Our "Sim. Release" activities are documented
in bug 456947, which has pointers to original bug and more details about
- JGit client vulnerability in Eclipse (CVE-2014-9390)
If users or adopters or distributors have installations
older than Luna, the advice is to add a more recent EGit/JGit release to
their installation by using one of the following update sites. They should
all be compatible with releases back to at least Juno.
The first one in list, is the one closest to "Luna"
and what you get if you simply "check for updates" from a Luna
install. Some with older installs might feel safest with it, since it has
been in the field the longest, but the newer ones are also considered stable,
and perhaps better since they have new function and more functional fixes.
Great thanks to
a) the JGit team -- Shawn Pearce, Christian Halstrick,
and Mattias Sohn, to name a few, who implemented the fix, working with
their colleagues in Git, Mercurial, and others Git based projects.
b) the Eclipse Foundation -- Denis Roy and and Christopher
Guindon -- for supporting the roll-out.
c) EclipseSource -- Markus Knauer -- for creating
the "EPP repo and packages" part of the fix.
d) and, well, IBM for allowing me time to work on