summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJunio C Hamano <gitster@pobox.com>2018-09-27 11:19:11 -0700
committerJunio C Hamano <gitster@pobox.com>2018-09-27 11:19:11 -0700
commitd0832b2847aa9669c09397c5639d7fe56abaf9fc (patch)
tree67048c677fda1401b05a512207b50f55d89e985e
parent273c61496f88c6495b886acb1041fe57965151da (diff)
downloadgit-d0832b2847aa9669c09397c5639d7fe56abaf9fc.tar.gz
Git 2.14.5v2.14.5
Signed-off-by: Junio C Hamano <gitster@pobox.com>
-rw-r--r--Documentation/RelNotes/2.14.5.txt16
-rwxr-xr-xGIT-VERSION-GEN2
l---------RelNotes2
3 files changed, 18 insertions, 2 deletions
diff --git a/Documentation/RelNotes/2.14.5.txt b/Documentation/RelNotes/2.14.5.txt
new file mode 100644
index 0000000000..130645fb29
--- /dev/null
+++ b/Documentation/RelNotes/2.14.5.txt
@@ -0,0 +1,16 @@
+Git v2.14.5 Release Notes
+=========================
+
+This release is to address the recently reported CVE-2018-17456.
+
+Fixes since v2.14.4
+-------------------
+
+ * Submodules' "URL"s come from the untrusted .gitmodules file, but
+ we blindly gave it to "git clone" to clone submodules when "git
+ clone --recurse-submodules" was used to clone a project that has
+ such a submodule. The code has been hardened to reject such
+ malformed URLs (e.g. one that begins with a dash).
+
+Credit for finding and fixing this vulnerability goes to joernchen
+and Jeff King, respectively.
diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN
index 918b6c21ba..40680482ce 100755
--- a/GIT-VERSION-GEN
+++ b/GIT-VERSION-GEN
@@ -1,7 +1,7 @@
#!/bin/sh
GVF=GIT-VERSION-FILE
-DEF_VER=v2.14.4
+DEF_VER=v2.14.5
LF='
'
diff --git a/RelNotes b/RelNotes
index 1b1ac35878..a127ce63f2 120000
--- a/RelNotes
+++ b/RelNotes
@@ -1 +1 @@
-Documentation/RelNotes/2.14.4.txt \ No newline at end of file
+Documentation/RelNotes/2.14.5.txt \ No newline at end of file