49 lines
2.8 KiB
Markdown
49 lines
2.8 KiB
Markdown
**Note** this is a security fix release. A prompt upgrade is strongly
|
|
recommended. Attacks using this security hole will involve the attacker
|
|
either providing a ssh repository url to the user, or the user pulling from
|
|
a git-annex repository provided by an attacker and then running `git annex
|
|
enableremote`. For details about the security hole, see
|
|
[[bugs/dashed_ssh_hostname_security_hole]]. CVE-2017-12976
|
|
|
|
git-annex 6.20170818 released with [[!toggle text="these changes"]]
|
|
[[!toggleable text="""
|
|
* Security fix: Disallow hostname starting with a dash, which
|
|
would get passed to ssh and be treated an option. This could
|
|
be used by an attacker who provides a crafted repository url
|
|
to cause the victim to execute arbitrary code via -oProxyCommand.
|
|
(The same class of security hole recently affected git itself.)
|
|
* git-annex.cabal: Deal with breaking changes in Cabal 2.0.
|
|
* Fix build with QuickCheck 2.10.
|
|
* fsck: Support --json.
|
|
* move, copy: Support --batch.
|
|
* Added GIT\_ANNEX\_VECTOR\_CLOCK environment variable, which can be used to
|
|
override the default timestamps used in log files in the git-annex
|
|
branch. This is a dangerous environment variable; use with caution.
|
|
* Fix a git-annex test failure when run on NFS due to NFS lock files
|
|
preventing directory removal.
|
|
* test: Avoid most situations involving failure to delete test
|
|
directories, by forking a worker process and only deleting the test
|
|
directory once it exits.
|
|
* Disable http-client's default 30 second response timeout when HEADing
|
|
an url to check if it exists. Some web servers take quite a long time
|
|
to answer a HEAD request.
|
|
* Added remote configuration settings annex-ignore-command and
|
|
annex-sync-command, which are dynamic equivilants of the annex-ignore
|
|
and annex-sync configurations.
|
|
* Prevent spaces from being embedded in the name of new WORM keys,
|
|
as that handing spaces in keys would complicate things like the
|
|
external special remote protocol.
|
|
* migrate: WORM keys containing spaces will be migrated to not contain
|
|
spaces anymore.
|
|
* External special remotes will refuse to operate on keys with spaces in
|
|
their names. That has never worked correctly due to the design of the
|
|
external special remote protocol. Display an error message suggesting
|
|
migration.
|
|
* Fix incorrect external special remote documentation, which said that
|
|
the filename parameter to the TRANSFER command could not contain
|
|
spaces. It can in fact contain spaces. Special remotes implementors
|
|
that relied on that may need to fix bugs in their special remotes.
|
|
* Fix the external special remotes git-annex-remote-ipfs,
|
|
git-annex-remote-torrent and the example.sh template to correctly
|
|
support filenames with spaces.
|
|
* Windows: Win32 package has subsumed Win32-extras; update dependency."""]]
|