path: root/Documentation
diff options
authorJunio C Hamano <>2018-05-22 05:10:49 (GMT)
committerJunio C Hamano <>2018-05-22 05:10:49 (GMT)
commit7b01c71b64d25202d80b73cbd46104ebfddbdab3 (patch)
tree98de7ee189397c8e539459ed1a699be47cc0bff3 /Documentation
parentfc849d8d6b90e5c1e0c37bc0d60dd92b2fe7347f (diff)
parent0114f71344844be9e5add321cffea34bac077d75 (diff)
Sync with Git 2.13.7
* maint-2.13: Git 2.13.7 verify_path: disallow symlinks in .gitmodules update-index: stat updated files earlier verify_dotfile: mention case-insensitivity in comment verify_path: drop clever fallthrough skip_prefix: add case-insensitive variant is_{hfs,ntfs}_dotgitmodules: add tests is_ntfs_dotgit: match other .git files is_hfs_dotgit: match other .git files is_ntfs_dotgit: use a size_t for traversing string submodule-config: verify submodule names as paths
Diffstat (limited to 'Documentation')
1 files changed, 20 insertions, 0 deletions
diff --git a/Documentation/RelNotes/2.13.7.txt b/Documentation/RelNotes/2.13.7.txt
new file mode 100644
index 0000000..09fc014
--- /dev/null
+++ b/Documentation/RelNotes/2.13.7.txt
@@ -0,0 +1,20 @@
+Git v2.13.7 Release Notes
+Fixes since v2.13.6
+ * Submodule "names" come from the untrusted .gitmodules file, but we
+ blindly append them to $GIT_DIR/modules to create our on-disk repo
+ paths. This means you can do bad things by putting "../" into the
+ name. We now enforce some rules for submodule names which will cause
+ Git to ignore these malicious names (CVE-2018-11235).
+ Credit for finding this vulnerability and the proof of concept from
+ which the test script was adapted goes to Etienne Stalmans.
+ * It was possible to trick the code that sanity-checks paths on NTFS
+ into reading random piece of memory (CVE-2018-11233).
+Credit for fixing for these bugs goes to Jeff King, Johannes
+Schindelin and others.