mirrors/git-annex
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

got a CVE number

Browse source
This commit is contained in:
Joey Hess 2018-06-18 17:56:18 -04:00
parent e00b3ab3d5
commit c81b879d39
No known key found for this signature in database
GPG key ID: DB12DB0FF05F8F38
3 changed files with 7 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG
View file

@ -1,5 +1,6 @@
git-annex (6.20180622) UNRELEASED; urgency=high git-annex (6.20180622) UNRELEASED; urgency=high
* Security fix release for CVE-2018-10857.
* Added annex.security.allowed-url-schemes setting, which defaults * Added annex.security.allowed-url-schemes setting, which defaults
to only allowing http, https, and ftp URLs. Note especially that file:/ to only allowing http, https, and ftp URLs. Note especially that file:/
is no longer enabled by default. This is a security fix. is no longer enabled by default. This is a security fix.

2
doc/bugs/security_hole_private_data_exposure_via_addurl.mdwn
View file

@ -1,3 +1,5 @@
CVE-2018-10857
This is a security hole that allows exposure of This is a security hole that allows exposure of
private data in files located outside the git-annex repository. private data in files located outside the git-annex repository.

8
doc/security/private_data_exposure.mdwn → doc/security/CVE-2018-10857.mdwn
View file

@ -1,7 +1,7 @@
Some uses of git-annex were vulnerable to a private data exposure and CVE-2018-10857: Some uses of git-annex were vulnerable to a private data
exfiltration attack. It could expose the content of files located exposure and exfiltration attack. It could expose the content of files
outside the git-annex repository, or content from a private located outside the git-annex repository, or content from a private web
web server on localhost or the LAN. server on localhost or the LAN.
This was fixed in git-annex 6.20180622. This was fixed in git-annex 6.20180622.