diff options
author | Johannes Schindelin <johannes.schindelin@gmx.de> | 2019-12-04 21:33:15 (GMT) |
---|---|---|
committer | Johannes Schindelin <johannes.schindelin@gmx.de> | 2019-12-06 15:30:51 (GMT) |
commit | 4cd1cf31efed9b16db5035c377bfa222f5272458 (patch) | |
tree | 8cb10fa6e02a094dd7ea429f50a92174940ded6e /Documentation | |
parent | c1547450748fcbac21675f2681506d2d80351a19 (diff) | |
download | git-4cd1cf31efed9b16db5035c377bfa222f5272458.zip git-4cd1cf31efed9b16db5035c377bfa222f5272458.tar.gz git-4cd1cf31efed9b16db5035c377bfa222f5272458.tar.bz2 |
Git 2.20.2v2.20.2
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Diffstat (limited to 'Documentation')
-rw-r--r-- | Documentation/RelNotes/2.20.2.txt | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/Documentation/RelNotes/2.20.2.txt b/Documentation/RelNotes/2.20.2.txt new file mode 100644 index 0000000..8e680cb --- /dev/null +++ b/Documentation/RelNotes/2.20.2.txt @@ -0,0 +1,18 @@ +Git v2.20.2 Release Notes +========================= + +This release merges up the fixes that appear in v2.14.6, v2.15.4 +and in v2.17.3, addressing the security issues CVE-2019-1348, +CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, +CVE-2019-1353, CVE-2019-1354, and CVE-2019-1387; see the release notes +for those versions for details. + +The change to disallow `submodule.<name>.update=!command` entries in +`.gitmodules` which was introduced v2.15.4 (and for which v2.17.3 +added explicit fsck checks) fixes the vulnerability in v2.20.x where a +recursive clone followed by a submodule update could execute code +contained within the repository without the user explicitly having +asked for that (CVE-2019-19604). + +Credit for finding this vulnerability goes to Joern Schneeweisz, +credit for the fixes goes to Jonathan Nieder. |