1871295765
Renamed annex.security.allowed-http-addresses to annex.security.allowed-ip-addresses because it is not really specific to the http protocol, also limiting eg, git-annex's use of ftp and via youtube-dl, several other protocols. The old name for the config will still work. If both old and new name are set, the new name will win.
32 lines
1.4 KiB
Markdown
32 lines
1.4 KiB
Markdown
git-annex 6.20180626 is an important security fix release.
|
|
|
|
See [[the advisory|security/CVE-2018-10857_and_CVE-2018-10859]]
|
|
for details about the security holes fixed in this release.
|
|
|
|
After upgrading git-annex, you should restart any git-annex assistant
|
|
processes.
|
|
|
|
Several changes to git-annex's behavior had to be made as part of the
|
|
security fixes:
|
|
|
|
* A security fix has changed git-annex to refuse to download content from
|
|
some special remotes when the content cannot be verified with a hash check.
|
|
In particular URL and WORM keys stored on such remotes won't be downloaded.
|
|
See the documentation of the annex.security.allow-unverified-downloads
|
|
configuration for how to deal with this if it affects your files.
|
|
|
|
* A security fix has changed git-annex to only support http, https, and ftp
|
|
URL schemes by default. You can enable other URL schemes, at your own risk,
|
|
using annex.security.allowed-url-schemes.
|
|
|
|
* A related security fix prevents git-annex from connecting to http
|
|
servers (and proxies) on localhost or private networks. This can
|
|
be overridden, at your own risk, using annex.security.allowed-ip-addresses.
|
|
|
|
* Setting annex.web-options no longer is enough to make curl be used,
|
|
and youtube-dl is also no longer used by default. See the
|
|
documentation of annex.security.allowed-http-addresses for
|
|
details and how to enable them.
|
|
|
|
* The annex.web-download-command configuration has been removed,
|
|
use annex.web-options instead.
|