Bug#774050: CVE-2014-9390
tony mancill
tmancill at debian.org
Tue Dec 30 16:13:08 UTC 2014
On 12/30/2014 05:18 AM, Emmanuel Bourg wrote:
> Here are the relevant commits to backport:
>
> Always ignore case when forbidding .git in ObjectChecker
> https://github.com/eclipse/jgit/commit/07612a6
>
> Disallow ".git." and ".git<space>"
> https://github.com/eclipse/jgit/commit/10310bf
>
> Disallow Windows shortname "GIT~1"
> https://github.com/eclipse/jgit/commit/a09b1b6
>
> Disallow names potentially mapping to ".git" on HFS+
> https://github.com/eclipse/jgit/commit/d476d2f
I spent some time looking at this too, but from the perspective of what
upstream release branches have these commits.
They are on stable-3.4, which is version 3.4.2 (and is the closest to
3.4.0, which is what we have in jessie/sid), but upstream didn't apply
them to stable-2.0 (wheezy). So I think the patches will need to be
cherry-picked or hand-applied to our source versions.
We'll also need to create security-${RELEASE} branches in the pkg-java
repo for this, as 3.5.2 has already been staged on master.
I do wonder how many of our users are running case-insensitive file
systems though...
tony
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20141230/23fbbb77/attachment.sig>
More information about the pkg-java-maintainers
mailing list