path: root/Documentation
diff options
authorJunio C Hamano <>2018-05-29 08:09:58 (GMT)
committerJunio C Hamano <>2018-05-29 08:10:05 (GMT)
commit7913f53b5628997165e075008d6142da1c04271a (patch)
treeec9ffa97b492e873118bc9e3d521b9cab63b7098 /Documentation
parente144d126d74f5d2702870ca9423743102eec6fcd (diff)
parentfc54c1af3ec09bab8b8ea09768c2da4069b7f53e (diff)
Sync with Git 2.17.1
* maint: (25 commits) Git 2.17.1 Git 2.16.4 Git 2.15.2 Git 2.14.4 Git 2.13.7 fsck: complain when .gitmodules is a symlink index-pack: check .gitmodules files with --strict unpack-objects: call fsck_finish() after fscking objects fsck: call fsck_finish() after fscking objects fsck: check .gitmodules content fsck: handle promisor objects in .gitmodules check fsck: detect gitmodules files fsck: actually fsck blob data fsck: simplify ".git" check index-pack: make fsck error message more specific verify_path: disallow symlinks in .gitmodules update-index: stat updated files earlier verify_dotfile: mention case-insensitivity in comment verify_path: drop clever fallthrough skip_prefix: add case-insensitive variant ...
Diffstat (limited to 'Documentation')
5 files changed, 49 insertions, 0 deletions
diff --git a/Documentation/RelNotes/2.13.7.txt b/Documentation/RelNotes/2.13.7.txt
new file mode 100644
index 0000000..09fc014
--- /dev/null
+++ b/Documentation/RelNotes/2.13.7.txt
@@ -0,0 +1,20 @@
+Git v2.13.7 Release Notes
+Fixes since v2.13.6
+ * Submodule "names" come from the untrusted .gitmodules file, but we
+ blindly append them to $GIT_DIR/modules to create our on-disk repo
+ paths. This means you can do bad things by putting "../" into the
+ name. We now enforce some rules for submodule names which will cause
+ Git to ignore these malicious names (CVE-2018-11235).
+ Credit for finding this vulnerability and the proof of concept from
+ which the test script was adapted goes to Etienne Stalmans.
+ * It was possible to trick the code that sanity-checks paths on NTFS
+ into reading random piece of memory (CVE-2018-11233).
+Credit for fixing for these bugs goes to Jeff King, Johannes
+Schindelin and others.
diff --git a/Documentation/RelNotes/2.14.4.txt b/Documentation/RelNotes/2.14.4.txt
new file mode 100644
index 0000000..97755a8
--- /dev/null
+++ b/Documentation/RelNotes/2.14.4.txt
@@ -0,0 +1,5 @@
+Git v2.14.4 Release Notes
+This release is to forward-port the fixes made in the v2.13.7 version
+of Git. See its release notes for details.
diff --git a/Documentation/RelNotes/2.15.2.txt b/Documentation/RelNotes/2.15.2.txt
index 9f7e28f..b480e56 100644
--- a/Documentation/RelNotes/2.15.2.txt
+++ b/Documentation/RelNotes/2.15.2.txt
@@ -43,5 +43,8 @@ Fixes since v2.15.1
* Clarify and enhance documentation for "merge-base --fork-point", as
it was clear what it computed but not why/what for.
+ * This release also contains the fixes made in the v2.13.7 version of
+ Git. See its release notes for details.
Also contains various documentation updates and code clean-ups.
diff --git a/Documentation/RelNotes/2.16.4.txt b/Documentation/RelNotes/2.16.4.txt
new file mode 100644
index 0000000..6be538b
--- /dev/null
+++ b/Documentation/RelNotes/2.16.4.txt
@@ -0,0 +1,5 @@
+Git v2.16.4 Release Notes
+This release is to forward-port the fixes made in the v2.13.7 version
+of Git. See its release notes for details.
diff --git a/Documentation/RelNotes/2.17.1.txt b/Documentation/RelNotes/2.17.1.txt
new file mode 100644
index 0000000..e01384f
--- /dev/null
+++ b/Documentation/RelNotes/2.17.1.txt
@@ -0,0 +1,16 @@
+Git v2.17.1 Release Notes
+Fixes since v2.17
+ * This release contains the same fixes made in the v2.13.7 version of
+ Git, covering CVE-2018-11233 and 11235, and forward-ported to
+ v2.14.4, v2.15.2 and v2.16.4 releases. See release notes to
+ v2.13.7 for details.
+ * In addition to the above fixes, this release has support on the
+ server side to reject pushes to repositories that attempt to create
+ such problematic .gitmodules file etc. as tracked contents, to help
+ hosting sites protect their customers by preventing malicious
+ contents from spreading.