2018-06-26 02:14:32 +00:00
|
|
|
git-annex 6.20180626 is an important security fix release.
|
|
|
|
|
|
|
|
See [[the advisory|security/CVE-2018-10857_and_CVE-2018-10859]]
|
|
|
|
for details about the security holes fixed in this release.
|
|
|
|
|
|
|
|
After upgrading git-annex, you should restart any git-annex assistant
|
|
|
|
processes.
|
|
|
|
|
|
|
|
Several changes to git-annex's behavior had to be made as part of the
|
|
|
|
security fixes:
|
|
|
|
|
|
|
|
* A security fix has changed git-annex to refuse to download content from
|
|
|
|
some special remotes when the content cannot be verified with a hash check.
|
|
|
|
In particular URL and WORM keys stored on such remotes won't be downloaded.
|
|
|
|
See the documentation of the annex.security.allow-unverified-downloads
|
|
|
|
configuration for how to deal with this if it affects your files.
|
|
|
|
|
|
|
|
* A security fix has changed git-annex to only support http, https, and ftp
|
|
|
|
URL schemes by default. You can enable other URL schemes, at your own risk,
|
|
|
|
using annex.security.allowed-url-schemes.
|
|
|
|
|
|
|
|
* A related security fix prevents git-annex from connecting to http
|
|
|
|
servers (and proxies) on localhost or private networks. This can
|
2019-05-30 16:43:40 +00:00
|
|
|
be overridden, at your own risk, using annex.security.allowed-ip-addresses.
|
2018-06-26 02:14:32 +00:00
|
|
|
|
|
|
|
* Setting annex.web-options no longer is enough to make curl be used,
|
|
|
|
and youtube-dl is also no longer used by default. See the
|
|
|
|
documentation of annex.security.allowed-http-addresses for
|
|
|
|
details and how to enable them.
|
|
|
|
|
|
|
|
* The annex.web-download-command configuration has been removed,
|
|
|
|
use annex.web-options instead.
|