git-annex/doc/news/version_6.20170818.mdwn

50 lines
2.8 KiB
Text
Raw Normal View History

**Note** this is a security fix release. A prompt upgrade is strongly
recommended. Attacks using this security hole will involve the attacker
either providing a ssh repository url to the user, or the user pulling from
a git-annex repository provided by an attacker and then running `git annex
enableremote`. For details about the security hole, see
2017-08-20 20:50:53 +00:00
[[bugs/dashed_ssh_hostname_security_hole]]. CVE-2017-12976
2017-08-18 15:21:11 +00:00
2017-08-18 15:19:53 +00:00
git-annex 6.20170818 released with [[!toggle text="these changes"]]
[[!toggleable text="""
* Security fix: Disallow hostname starting with a dash, which
would get passed to ssh and be treated an option. This could
be used by an attacker who provides a crafted repository url
to cause the victim to execute arbitrary code via -oProxyCommand.
(The same class of security hole recently affected git itself.)
* git-annex.cabal: Deal with breaking changes in Cabal 2.0.
* Fix build with QuickCheck 2.10.
* fsck: Support --json.
* move, copy: Support --batch.
* Added GIT\_ANNEX\_VECTOR\_CLOCK environment variable, which can be used to
override the default timestamps used in log files in the git-annex
branch. This is a dangerous environment variable; use with caution.
* Fix a git-annex test failure when run on NFS due to NFS lock files
preventing directory removal.
* test: Avoid most situations involving failure to delete test
directories, by forking a worker process and only deleting the test
directory once it exits.
* Disable http-client's default 30 second response timeout when HEADing
an url to check if it exists. Some web servers take quite a long time
to answer a HEAD request.
* Added remote configuration settings annex-ignore-command and
annex-sync-command, which are dynamic equivilants of the annex-ignore
and annex-sync configurations.
* Prevent spaces from being embedded in the name of new WORM keys,
as that handing spaces in keys would complicate things like the
external special remote protocol.
* migrate: WORM keys containing spaces will be migrated to not contain
spaces anymore.
* External special remotes will refuse to operate on keys with spaces in
their names. That has never worked correctly due to the design of the
external special remote protocol. Display an error message suggesting
migration.
* Fix incorrect external special remote documentation, which said that
the filename parameter to the TRANSFER command could not contain
spaces. It can in fact contain spaces. Special remotes implementors
that relied on that may need to fix bugs in their special remotes.
* Fix the external special remotes git-annex-remote-ipfs,
git-annex-remote-torrent and the example.sh template to correctly
support filenames with spaces.
2017-08-18 15:21:11 +00:00
* Windows: Win32 package has subsumed Win32-extras; update dependency."""]]