Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [eclipse.org-committers] Git client vulnerability on Windows, Mac 
yes, that’s why we have released 3.4.2:
see 
http://git.eclipse.org/c/simrel/org.eclipse.simrel.build.git/commit/?h=Luna
_maintenance&id=5c012858942c45318eeb17341a6363e0f6663ba6

--
Matthias

On 22.12.14 23:09, "Denis Roy" <denis.roy@xxxxxxxxxxx> wrote:

>Will this fix work its way into the Luna repo, so that those folks
>checking for updates will get it?
>
>On 12/22/2014 04:58 PM, Konstantin Komissarchik wrote:
>> The fix is included in the EGit/JGit 3.4.2 and 3.5.3 releases. Here is
>>the
>> announcement from the egit-dev mailing list.
>>
>> http://dev.eclipse.org/mhonarc/lists/egit-dev/msg03717.html
>>
>> - Konstantin
>>
>>
>> -----Original Message-----
>> From: eclipse.org-committers-bounces@xxxxxxxxxxx
>> [mailto:eclipse.org-committers-bounces@xxxxxxxxxxx] On Behalf Of Denis
>>Roy
>> Sent: Monday, December 22, 2014 1:57 PM
>> To: eclipse.org-committers@xxxxxxxxxxx
>> Subject: Re: [eclipse.org-committers] Git client vulnerability on
>>Windows,
>> Mac
>>
>> Oh, okay. So our vulnerable Windows and Mac users will know to look
>>there,
>> build the changes then install them?
>>
>> Denis
>>
>>
>> On 12/22/2014 04:48 PM, Ahti Kitsik wrote:
>>> Hi Denis
>>>
>>> I can see that the vulnerability has been fixed in commits from Dec
>>> 18th:
>>> https://github.com/eclipse/jgit/commits/master
>>>
>>> The fix is also announced at
>>> http://dev.eclipse.org/mhonarc/lists/jgit-dev/msg02789.html
>>>
>>>
>>> Regards,
>>> Ahti
>>> --
>>> // http://ahtik.com @ahtik
>>>
>>> On Mon, Dec 22, 2014, at 05:53 PM, Denis Roy wrote:
>>>> Greetings!
>>>>
>>>> You may be aware of a vulnerability which affects Git clients on
>>>> Windows and Mac:
>>>>
>>>> https://github.com/blog/1938-vulnerability-announced-update-your-git-
>>>> clients
>>>>
>>>> The article mentions that jGit is affected as well, and that jGit has
>>>> issued a maintenance release,  but I'm not sure what happens in
>>>> Eclipse-land since the jGit web page doesn't mention a single thing,
>>>> and I cannot find anything in Bugzilla.
>>>>
>>>>        http://eclipse.org/jgit/
>>>>
>>>> I was only able to find this 2-year-old bug related to the issue:
>>>>
>>>>        https://bugs.eclipse.org/bugs/show_bug.cgi?id=367248
>>>>
>>>> I believe jGit is bundled in all our Eclipse packages that contain
>>>> eGit, so I will cc the Eclipse Security team.  If the jGit team has
>>>> more information, or if I'm ridiculously off-base on this, please
>>>> feel free to add more info.
>>>>
>>>>
>>>>
>>>> While I have your attention, I'd like to wish everyone a festive
>>>> holiday season. Matt and I will be casually monitoring Bugzilla
>>>> inboxes to make sure everything is working smoothly during the holiday
>> shutdown.
>>>>
>>>> Denis
>>>> _______________________________________________
>>>> eclipse.org-committers mailing list
>>>> eclipse.org-committers@xxxxxxxxxxx
>>>> https://dev.eclipse.org/mailman/listinfo/eclipse.org-committers
>>>>
>>>> IMPORTANT: Membership in this list is generated by processes internal
>>>> to the Eclipse Foundation.  To be permanently removed from this list,
>>>> you must contact emo@xxxxxxxxxxx to request removal.
>>> _______________________________________________
>>> eclipse.org-committers mailing list
>>> eclipse.org-committers@xxxxxxxxxxx
>>> https://dev.eclipse.org/mailman/listinfo/eclipse.org-committers
>>>
>>> IMPORTANT: Membership in this list is generated by processes internal
>>>to
>> the Eclipse Foundation.  To be permanently removed from this list, you
>>must
>> contact emo@xxxxxxxxxxx to request removal.
>>>
>> _______________________________________________
>> eclipse.org-committers mailing list
>> eclipse.org-committers@xxxxxxxxxxx
>> https://dev.eclipse.org/mailman/listinfo/eclipse.org-committers
>>
>> IMPORTANT: Membership in this list is generated by processes internal
>>to the
>> Eclipse Foundation.  To be permanently removed from this list, you must
>> contact emo@xxxxxxxxxxx to request removal.
>>
>_______________________________________________
>eclipse.org-committers mailing list
>eclipse.org-committers@xxxxxxxxxxx
>https://dev.eclipse.org/mailman/listinfo/eclipse.org-committers
>
>IMPORTANT: Membership in this list is generated by processes internal to
>the Eclipse Foundation.  To be permanently removed from this list, you
>must contact emo@xxxxxxxxxxx to request removal.

Back to the top