Git 2.13.7

Signed-off-by: Junio C Hamano <gitster@pobox.com>
author: Junio C Hamano <gitster@pobox.com> 2018-05-22 13:50:36 +0900
committer: Junio C Hamano <gitster@pobox.com> 2018-05-22 13:50:36 +0900
commit: 0114f71344844be9e5add321cffea34bac077d75 (patch)
tree: 1066054d066d005da9761ced28d899fd7edd29ac /Documentation/RelNotes
parent: Merge branch 'jk/submodule-fix-loose' into maint-2.13 (diff)
download: tgif-0114f71344844be9e5add321cffea34bac077d75.tar.xz
1 files changed, 20 insertions, 0 deletions
diff --git a/Documentation/RelNotes/2.13.7.txt b/Documentation/RelNotes/2.13.7.txt
new file mode 100644
index 0000000000..09fc01406c
--- /dev/null
+++ b/Documentation/RelNotes/2.13.7.txt
@@ -0,0 +1,20 @@
+Git v2.13.7 Release Notes
+=========================
+
+Fixes since v2.13.6
+-------------------
+
+ * Submodule "names" come from the untrusted .gitmodules file, but we
+   blindly append them to $GIT_DIR/modules to create our on-disk repo
+   paths. This means you can do bad things by putting "../" into the
+   name. We now enforce some rules for submodule names which will cause
+   Git to ignore these malicious names (CVE-2018-11235).
+
+   Credit for finding this vulnerability and the proof of concept from
+   which the test script was adapted goes to Etienne Stalmans.
+
+ * It was possible to trick the code that sanity-checks paths on NTFS
+   into reading random piece of memory (CVE-2018-11233).
+
+Credit for fixing for these bugs goes to Jeff King, Johannes
+Schindelin and others.
author	Junio C Hamano <gitster@pobox.com>	2018-05-22 13:50:36 +0900
committer	Junio C Hamano <gitster@pobox.com>	2018-05-22 13:50:36 +0900
commit	0114f71344844be9e5add321cffea34bac077d75 (patch)
tree	1066054d066d005da9761ced28d899fd7edd29ac /Documentation/RelNotes
parent	Merge branch 'jk/submodule-fix-loose' into maint-2.13 (diff)
download	tgif-0114f71344844be9e5add321cffea34bac077d75.tar.xz