git-annex/doc/news/security_fix_release.mdwn

33 lines
1.4 KiB
Text
Raw Normal View History

2018-06-26 02:14:32 +00:00
git-annex 6.20180626 is an important security fix release.
See [[the advisory|security/CVE-2018-10857_and_CVE-2018-10859]]
for details about the security holes fixed in this release.
After upgrading git-annex, you should restart any git-annex assistant
processes.
Several changes to git-annex's behavior had to be made as part of the
security fixes:
* A security fix has changed git-annex to refuse to download content from
some special remotes when the content cannot be verified with a hash check.
In particular URL and WORM keys stored on such remotes won't be downloaded.
See the documentation of the annex.security.allow-unverified-downloads
configuration for how to deal with this if it affects your files.
* A security fix has changed git-annex to only support http, https, and ftp
URL schemes by default. You can enable other URL schemes, at your own risk,
using annex.security.allowed-url-schemes.
* A related security fix prevents git-annex from connecting to http
servers (and proxies) on localhost or private networks. This can
be overridden, at your own risk, using annex.security.allowed-http-addresses.
* Setting annex.web-options no longer is enough to make curl be used,
and youtube-dl is also no longer used by default. See the
documentation of annex.security.allowed-http-addresses for
details and how to enable them.
* The annex.web-download-command configuration has been removed,
use annex.web-options instead.