Sync with Git 2.14.4

* maint-2.14: Git 2.14.5 submodule-config: ban submodule paths that start with a dash submodule-config: ban submodule urls that start with dash submodule--helper: use "--" to signal end of clone options
author: Junio C Hamano <gitster@pobox.com> 2018-09-27 11:20:22 -0700
committer: Junio C Hamano <gitster@pobox.com> 2018-09-27 11:20:22 -0700
commit: 902df9f5c45cd99720d4ca0a38d0538eb0126ad7 (patch)
tree: 31508ce7526984307a09f9e114a2989f668c060e /Documentation/RelNotes
parent: Git 2.15.2 (diff)
parent: Git 2.14.5 (diff)
download: tgif-902df9f5c45cd99720d4ca0a38d0538eb0126ad7.tar.xz
1 files changed, 16 insertions, 0 deletions
diff --git a/Documentation/RelNotes/2.14.5.txt b/Documentation/RelNotes/2.14.5.txt
new file mode 100644
index 0000000000..130645fb29
--- /dev/null
+++ b/Documentation/RelNotes/2.14.5.txt
@@ -0,0 +1,16 @@
+Git v2.14.5 Release Notes
+=========================
+
+This release is to address the recently reported CVE-2018-17456.
+
+Fixes since v2.14.4
+-------------------
+
+ * Submodules' "URL"s come from the untrusted .gitmodules file, but
+   we blindly gave it to "git clone" to clone submodules when "git
+   clone --recurse-submodules" was used to clone a project that has
+   such a submodule.  The code has been hardened to reject such
+   malformed URLs (e.g. one that begins with a dash).
+
+Credit for finding and fixing this vulnerability goes to joernchen
+and Jeff King, respectively.
author	Junio C Hamano <gitster@pobox.com>	2018-09-27 11:20:22 -0700
committer	Junio C Hamano <gitster@pobox.com>	2018-09-27 11:20:22 -0700
commit	902df9f5c45cd99720d4ca0a38d0538eb0126ad7 (patch)
tree	31508ce7526984307a09f9e114a2989f668c060e /Documentation/RelNotes
parent	Git 2.15.2 (diff)
parent	Git 2.14.5 (diff)
download	tgif-902df9f5c45cd99720d4ca0a38d0538eb0126ad7.tar.xz