From c81b879d39a34e81a9de9037ecf0ce06cdac6f18 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Mon, 18 Jun 2018 17:56:18 -0400 Subject: [PATCH] got a CVE number --- CHANGELOG | 1 + .../security_hole_private_data_exposure_via_addurl.mdwn | 2 ++ .../{private_data_exposure.mdwn => CVE-2018-10857.mdwn} | 8 ++++---- 3 files changed, 7 insertions(+), 4 deletions(-) rename doc/security/{private_data_exposure.mdwn => CVE-2018-10857.mdwn} (86%) diff --git a/CHANGELOG b/CHANGELOG index 2cc8490190..1042448bc9 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,6 @@ git-annex (6.20180622) UNRELEASED; urgency=high + * Security fix release for CVE-2018-10857. * Added annex.security.allowed-url-schemes setting, which defaults to only allowing http, https, and ftp URLs. Note especially that file:/ is no longer enabled by default. This is a security fix. diff --git a/doc/bugs/security_hole_private_data_exposure_via_addurl.mdwn b/doc/bugs/security_hole_private_data_exposure_via_addurl.mdwn index 54d4ac60dc..b27eb64d4e 100644 --- a/doc/bugs/security_hole_private_data_exposure_via_addurl.mdwn +++ b/doc/bugs/security_hole_private_data_exposure_via_addurl.mdwn @@ -1,3 +1,5 @@ +CVE-2018-10857 + This is a security hole that allows exposure of private data in files located outside the git-annex repository. diff --git a/doc/security/private_data_exposure.mdwn b/doc/security/CVE-2018-10857.mdwn similarity index 86% rename from doc/security/private_data_exposure.mdwn rename to doc/security/CVE-2018-10857.mdwn index ffcabffed5..bad9edd5fa 100644 --- a/doc/security/private_data_exposure.mdwn +++ b/doc/security/CVE-2018-10857.mdwn @@ -1,7 +1,7 @@ -Some uses of git-annex were vulnerable to a private data exposure and -exfiltration attack. It could expose the content of files located -outside the git-annex repository, or content from a private -web server on localhost or the LAN. +CVE-2018-10857: Some uses of git-annex were vulnerable to a private data +exposure and exfiltration attack. It could expose the content of files +located outside the git-annex repository, or content from a private web +server on localhost or the LAN. This was fixed in git-annex 6.20180622.