Re: [eclipse.org-committers] Git client vulnerability on Windows, Mac

[Denis Roy <denis.roy@xxxxxxxxxxx>]

Will this fix work its way into the Luna repo, so that those folks 
checking for updates will get it?

On 12/22/2014 04:58 PM, Konstantin Komissarchik wrote:
> The fix is included in the EGit/JGit 3.4.2 and 3.5.3 releases. Here is the
> announcement from the egit-dev mailing list.
>
> http://dev.eclipse.org/mhonarc/lists/egit-dev/msg03717.html
>
> - Konstantin
>
>
> -----Original Message-----
> From: eclipse.org-committers-bounces@xxxxxxxxxxx
> [mailto:eclipse.org-committers-bounces@xxxxxxxxxxx] On Behalf Of Denis Roy
> Sent: Monday, December 22, 2014 1:57 PM
> To: eclipse.org-committers@xxxxxxxxxxx
> Subject: Re: [eclipse.org-committers] Git client vulnerability on Windows,
> Mac
>
> Oh, okay. So our vulnerable Windows and Mac users will know to look there,
> build the changes then install them?
>
> Denis
>
>
> On 12/22/2014 04:48 PM, Ahti Kitsik wrote:
> > Hi Denis
> >
> > I can see that the vulnerability has been fixed in commits from Dec
> > 18th:
> > https://github.com/eclipse/jgit/commits/master
> >
> > The fix is also announced at
> > http://dev.eclipse.org/mhonarc/lists/jgit-dev/msg02789.html
> >
> >
> > Regards,
> > Ahti
> > --
> > // http://ahtik.com @ahtik
> >
> > On Mon, Dec 22, 2014, at 05:53 PM, Denis Roy wrote:
> > > Greetings!
> > >
> > > You may be aware of a vulnerability which affects Git clients on
> > > Windows and Mac:
> > >
> > > https://github.com/blog/1938-vulnerability-announced-update-your-git-
> > > clients
> > >
> > > The article mentions that jGit is affected as well, and that jGit has
> > > issued a maintenance release,  but I'm not sure what happens in
> > > Eclipse-land since the jGit web page doesn't mention a single thing,
> > > and I cannot find anything in Bugzilla.
> > >
> > >        http://eclipse.org/jgit/
> > >
> > > I was only able to find this 2-year-old bug related to the issue:
> > >
> > >        https://bugs.eclipse.org/bugs/show_bug.cgi?id=367248
> > >
> > > I believe jGit is bundled in all our Eclipse packages that contain
> > > eGit, so I will cc the Eclipse Security team.  If the jGit team has
> > > more information, or if I'm ridiculously off-base on this, please
> > > feel free to add more info.
> > >
> > >
> > >
> > > While I have your attention, I'd like to wish everyone a festive
> > > holiday season. Matt and I will be casually monitoring Bugzilla
> > > inboxes to make sure everything is working smoothly during the holiday
> shutdown.
> > > Denis
> > > _______________________________________________
> > > eclipse.org-committers mailing list
> > > eclipse.org-committers@xxxxxxxxxxx
> > > https://dev.eclipse.org/mailman/listinfo/eclipse.org-committers
> > >
> > > IMPORTANT: Membership in this list is generated by processes internal
> > > to the Eclipse Foundation.  To be permanently removed from this list,
> > > you must contact emo@xxxxxxxxxxx to request removal.
> > _______________________________________________
> > eclipse.org-committers mailing list
> > eclipse.org-committers@xxxxxxxxxxx
> > https://dev.eclipse.org/mailman/listinfo/eclipse.org-committers
> >
> > IMPORTANT: Membership in this list is generated by processes internal to
> the Eclipse Foundation.  To be permanently removed from this list, you must
> contact emo@xxxxxxxxxxx to request removal.
> >
> _______________________________________________
> eclipse.org-committers mailing list
> eclipse.org-committers@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/eclipse.org-committers
>
> IMPORTANT: Membership in this list is generated by processes internal to the
> Eclipse Foundation.  To be permanently removed from this list, you must
> contact emo@xxxxxxxxxxx to request removal.