announcing the security fix release

This commit is contained in:
Joey Hess 2018-06-25 22:14:32 -04:00
parent dc6cb6aa5f
commit 561e4531e5
No known key found for this signature in database
GPG key ID: DB12DB0FF05F8F38
3 changed files with 49 additions and 0 deletions

View file

@ -8,3 +8,5 @@ This fix was really a lot easier than the previous fixes for
CVE-2018-10857.
Unfortunately this did mean not letting URL and WORM keys be downloaded
from many special remotes by default, which is going to be painful for some.
[[!meta date="June 20 2018 5:00 pm"]]

View file

@ -0,0 +1,15 @@
Just released git-annex 6.20180626 with important security fixes!
Please go upgrade now, read the [[release_notes|news/security_fix_release]]
for details about some necessary behavior changes,
and if you're curious about the details of the security holes,
see [[the advisory|security/CVE-2018-10857_and_CVE-2018-10859]].
I've been dealing with these security holes for the past week and a half,
and decided to use a security embargo while fixes were being developed
due to the complexity of addressing security holes that impact both
git-annex and external special remote programs. For the full story
see past 5 posts in this devblog, which are being published all together
now that the embargo is lifted.
[[!meta date="Jun 26 2018 12:00 pm"]]