* Question on CVE-2018-11235 @ 2018-07-19 15:20 Akihiko Kawaguchi 2018-07-19 17:07 ` Adam Dinwoodie 0 siblings, 1 reply; 3+ messages in thread From: Akihiko Kawaguchi @ 2018-07-19 15:20 UTC (permalink / raw) To: cygwin Hello, Does anyone know when git client package to fix the following vulnerability will be released for Cygwin? https://nvd.nist.gov/vuln/detail/CVE-2018-11235 Currently, all the versions I can choose on Cygwin installer are 2.16.1-1, 2.16.2-1 or 2.17.0-1. Best Regards, Kawaguchi -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Question on CVE-2018-11235 2018-07-19 15:20 Question on CVE-2018-11235 Akihiko Kawaguchi @ 2018-07-19 17:07 ` Adam Dinwoodie 2018-07-20 8:51 ` Akihiko Kawaguchi 0 siblings, 1 reply; 3+ messages in thread From: Adam Dinwoodie @ 2018-07-19 17:07 UTC (permalink / raw) To: cygwin On Thu, 19 Jul 2018 at 08:56, Akihiko Kawaguchi wrote: > Hello, > > Does anyone know when git client package to fix the following > vulnerability will be released for Cygwin? > > https://nvd.nist.gov/vuln/detail/CVE-2018-11235 > > Currently, all the versions I can choose on Cygwin installer are > 2.16.1-1, 2.16.2-1 or 2.17.0-1. I'm afraid personal life has got in the way of me producing a more up-to-date version of Git since the versions you've found. I'll produce a new release when I get the chance, but I don't want to commit to any particular dates at this point. In the meantime, I'd suggest either not cloning untrusted repositories while using the `--recurse-submodules` option (or, as general security practice, not cloning untrusted repositories at all), or compiling Git locally yourself. As a general point, if people want to compile Git themselves, it's normally straightforward, either using the upstream Git sources, or using the Cygport packaging sources from https://github.com/me-and/Cygwin-Git. I only haven't released it myself because I have a higher bar for making sure the test suite passes and so forth for something that'll be used by a significant chunk of the Cygwin user base, than for something that's only going to be used by me. Adam Your local friendly Git package maintainer -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Question on CVE-2018-11235 2018-07-19 17:07 ` Adam Dinwoodie @ 2018-07-20 8:51 ` Akihiko Kawaguchi 0 siblings, 0 replies; 3+ messages in thread From: Akihiko Kawaguchi @ 2018-07-20 8:51 UTC (permalink / raw) To: cygwin Adam, Thank you so much for your prompt reply, and your contribution to git package maintenance. I hope your personal life goes well. I will check your advice. Best Regards, Kawaguchi On Thu, 19 Jul 2018 13:38:51 +0100 Adam Dinwoodie <adam@dinwoodie.org> wrote: > On Thu, 19 Jul 2018 at 08:56, Akihiko Kawaguchi wrote: > > Hello, > > > > Does anyone know when git client package to fix the following > > vulnerability will be released for Cygwin? > > > > https://nvd.nist.gov/vuln/detail/CVE-2018-11235 > > > > Currently, all the versions I can choose on Cygwin installer are > > 2.16.1-1, 2.16.2-1 or 2.17.0-1. > > I'm afraid personal life has got in the way of me producing a more > up-to-date version of Git since the versions you've found. I'll > produce a new release when I get the chance, but I don't want to > commit to any particular dates at this point. > > In the meantime, I'd suggest either not cloning untrusted repositories > while using the `--recurse-submodules` option (or, as general security > practice, not cloning untrusted repositories at all), or compiling Git > locally yourself. > > As a general point, if people want to compile Git themselves, it's > normally straightforward, either using the upstream Git sources, or > using the Cygport packaging sources from > https://github.com/me-and/Cygwin-Git. I only haven't released it > myself because I have a higher bar for making sure the test suite > passes and so forth for something that'll be used by a significant > chunk of the Cygwin user base, than for something that's only going to > be used by me. > > Adam > Your local friendly Git package maintainer > > -- > Problem reports: http://cygwin.com/problems.html > FAQ: http://cygwin.com/faq/ > Documentation: http://cygwin.com/docs.html > Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-07-20 3:03 UTC | newest] Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-07-19 15:20 Question on CVE-2018-11235 Akihiko Kawaguchi 2018-07-19 17:07 ` Adam Dinwoodie 2018-07-20 8:51 ` Akihiko Kawaguchi
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).