diff options
Diffstat (limited to 'docs/changelog.md')
| -rw-r--r-- | docs/changelog.md | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/docs/changelog.md b/docs/changelog.md index a6794ab9d..7190777b7 100644 --- a/docs/changelog.md +++ b/docs/changelog.md @@ -1,3 +1,14 @@ +v1.4.5 +------ + +🔒 This is a security release to address CVE-2023-22742: when compiled using the optional, included libssh2 backend, libgit2 fails to verify SSH keys by default. + +When using an SSH remote with the optional, included libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of libgit2 require the caller to set the `certificate_check` field of libgit2's `git_remote_callbacks` structure - if a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default - without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a man-in-the-middle attack. + +The libgit2 security team would like to thank the Julia and Rust security teams for responsibly disclosing this vulnerability and assisting with fixing the vulnerability. + +All users of the v1.4 release line are recommended to upgrade. + v1.4.4 ------ |