mirrors/git-annex
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

announcing the security fix release

Browse source
This commit is contained in:
Joey Hess 2018-06-25 22:14:32 -04:00
parent dc6cb6aa5f
commit 561e4531e5
No known key found for this signature in database
GPG key ID: DB12DB0FF05F8F38
3 changed files with 49 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
doc/devblog/day_504__security_hole_part_6.mdwn
View file

@ -8,3 +8,5 @@ This fix was really a lot easier than the previous fixes for
CVE-2018-10857.
Unfortunately this did mean not letting URL and WORM keys be downloaded
from many special remotes by default, which is going to be painful for some.
[[!meta date="June 20 2018 5:00 pm"]]

15
doc/devblog/day_505__security_fix_release.mdwn Normal file
View file

@ -0,0 +1,15 @@
Just released git-annex 6.20180626 with important security fixes!
Please go upgrade now, read the [[release_notes|news/security_fix_release]]
for details about some necessary behavior changes,
and if you're curious about the details of the security holes,
see [[the advisory|security/CVE-2018-10857_and_CVE-2018-10859]].
I've been dealing with these security holes for the past week and a half,
and decided to use a security embargo while fixes were being developed
due to the complexity of addressing security holes that impact both
git-annex and external special remote programs. For the full story
see past 5 posts in this devblog, which are being published all together
now that the embargo is lifted.
[[!meta date="Jun 26 2018 12:00 pm"]]

32
doc/news/security_fix_release.mdwn Normal file
View file

@ -0,0 +1,32 @@
git-annex 6.20180626 is an important security fix release.
See [[the advisory|security/CVE-2018-10857_and_CVE-2018-10859]]
for details about the security holes fixed in this release.
After upgrading git-annex, you should restart any git-annex assistant
processes.
Several changes to git-annex's behavior had to be made as part of the
security fixes:
* A security fix has changed git-annex to refuse to download content from
some special remotes when the content cannot be verified with a hash check.
In particular URL and WORM keys stored on such remotes won't be downloaded.
See the documentation of the annex.security.allow-unverified-downloads
configuration for how to deal with this if it affects your files.
* A security fix has changed git-annex to only support http, https, and ftp
URL schemes by default. You can enable other URL schemes, at your own risk,
using annex.security.allowed-url-schemes.
* A related security fix prevents git-annex from connecting to http
servers (and proxies) on localhost or private networks. This can
be overridden, at your own risk, using annex.security.allowed-http-addresses.
* Setting annex.web-options no longer is enough to make curl be used,
and youtube-dl is also no longer used by default. See the
documentation of annex.security.allowed-http-addresses for
details and how to enable them.
* The annex.web-download-command configuration has been removed,
use annex.web-options instead.