diff options
author | Edward Thomson <ethomson@edwardthomson.com> | 2023-01-18 23:02:12 +0000 |
---|---|---|
committer | Edward Thomson <ethomson@edwardthomson.com> | 2023-01-18 23:02:12 +0000 |
commit | 1fda949267a4416cfaa5938a017c80162164f894 (patch) | |
tree | 2107d558ae529436bab0cc2f5535e2688070df49 | |
parent | 6a4421ff333d8c21962b387c0457354f157193f1 (diff) | |
download | libgit2-1fda949267a4416cfaa5938a017c80162164f894.tar.gz |
meta: add changelog for v1.5.1
-rw-r--r-- | docs/changelog.md | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/docs/changelog.md b/docs/changelog.md index 989800a11..448a8a0ff 100644 --- a/docs/changelog.md +++ b/docs/changelog.md @@ -1,3 +1,14 @@ +v1.5.1 +------ + +🔒 This is a security release to address CVE-2023-22742: when compiled using the optional, included libssh2 backend, libgit2 fails to verify SSH keys by default. + +When using an SSH remote with the optional, included libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of libgit2 require the caller to set the `certificate_check` field of libgit2's `git_remote_callbacks` structure - if a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default - without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a man-in-the-middle attack. + +The libgit2 security team would like to thank the Julia and Rust security teams for responsibly disclosing this vulnerability and assisting with fixing the vulnerability. + +All users of the v1.5 release line are recommended to upgrade. + v1.5 ---- |