mirrors/git-annex
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

announcing the security fix release

Browse source
This commit is contained in:
Joey Hess 2018-06-25 22:14:32 -04:00
parent dc6cb6aa5f
commit 561e4531e5
No known key found for this signature in database
GPG key ID: DB12DB0FF05F8F38
3 changed files with 49 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
doc/devblog/day_504__security_hole_part_6.mdwn
View file

@ -8,3 +8,5 @@ This fix was really a lot easier than the previous fixes for
CVE-2018-10857. CVE-2018-10857.
Unfortunately this did mean not letting URL and WORM keys be downloaded Unfortunately this did mean not letting URL and WORM keys be downloaded
from many special remotes by default, which is going to be painful for some. from many special remotes by default, which is going to be painful for some.
[[!meta date="June 20 2018 5:00 pm"]]

15
doc/devblog/day_505__security_fix_release.mdwn Normal file
View file

@ -0,0 +1,15 @@
Just released git-annex 6.20180626 with important security fixes!
Please go upgrade now, read the [[release_notes|news/security_fix_release]]
for details about some necessary behavior changes,
and if you're curious about the details of the security holes,
see [[the advisory|security/CVE-2018-10857_and_CVE-2018-10859]].
I've been dealing with these security holes for the past week and a half,
and decided to use a security embargo while fixes were being developed
due to the complexity of addressing security holes that impact both
git-annex and external special remote programs. For the full story
see past 5 posts in this devblog, which are being published all together
now that the embargo is lifted.
[[!meta date="Jun 26 2018 12:00 pm"]]

32
doc/news/security_fix_release.mdwn Normal file
View file

@ -0,0 +1,32 @@
git-annex 6.20180626 is an important security fix release.
See [[the advisory|security/CVE-2018-10857_and_CVE-2018-10859]]
for details about the security holes fixed in this release.
After upgrading git-annex, you should restart any git-annex assistant
processes.
Several changes to git-annex's behavior had to be made as part of the
security fixes:
* A security fix has changed git-annex to refuse to download content from
some special remotes when the content cannot be verified with a hash check.
In particular URL and WORM keys stored on such remotes won't be downloaded.
See the documentation of the annex.security.allow-unverified-downloads
configuration for how to deal with this if it affects your files.
* A security fix has changed git-annex to only support http, https, and ftp
URL schemes by default. You can enable other URL schemes, at your own risk,
using annex.security.allowed-url-schemes.
* A related security fix prevents git-annex from connecting to http
servers (and proxies) on localhost or private networks. This can
be overridden, at your own risk, using annex.security.allowed-http-addresses.
* Setting annex.web-options no longer is enough to make curl be used,
and youtube-dl is also no longer used by default. See the
documentation of annex.security.allowed-http-addresses for
details and how to enable them.
* The annex.web-download-command configuration has been removed,
use annex.web-options instead.