Question on CVE-2018-11235

public inbox for cygwin@cygwin.com
 help / color / mirror / Atom feed

* Question on CVE-2018-11235
@ 2018-07-19 15:20 Akihiko Kawaguchi
  2018-07-19 17:07 ` Adam Dinwoodie
  0 siblings, 1 reply; 3+ messages in thread
From: Akihiko Kawaguchi @ 2018-07-19 15:20 UTC (permalink / raw)
  To: cygwin

Hello,

Does anyone know when git client package to fix the following
vulnerability will be released for Cygwin?

    https://nvd.nist.gov/vuln/detail/CVE-2018-11235

Currently, all the versions I can choose on Cygwin installer are
2.16.1-1, 2.16.2-1 or 2.17.0-1.

Best Regards,
Kawaguchi


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Question on CVE-2018-11235
  2018-07-19 15:20 Question on CVE-2018-11235 Akihiko Kawaguchi
@ 2018-07-19 17:07 ` Adam Dinwoodie
  2018-07-20  8:51   ` Akihiko Kawaguchi
  0 siblings, 1 reply; 3+ messages in thread
From: Adam Dinwoodie @ 2018-07-19 17:07 UTC (permalink / raw)
  To: cygwin

On Thu, 19 Jul 2018 at 08:56, Akihiko Kawaguchi wrote:
> Hello,
>
> Does anyone know when git client package to fix the following
> vulnerability will be released for Cygwin?
>
>     https://nvd.nist.gov/vuln/detail/CVE-2018-11235
>
> Currently, all the versions I can choose on Cygwin installer are
> 2.16.1-1, 2.16.2-1 or 2.17.0-1.

I'm afraid personal life has got in the way of me producing a more
up-to-date version of Git since the versions you've found. I'll
produce a new release when I get the chance, but I don't want to
commit to any particular dates at this point.

In the meantime, I'd suggest either not cloning untrusted repositories
while using the `--recurse-submodules` option (or, as general security
practice, not cloning untrusted repositories at all), or compiling Git
locally yourself.

As a general point, if people want to compile Git themselves, it's
normally straightforward, either using the upstream Git sources, or
using the Cygport packaging sources from
https://github.com/me-and/Cygwin-Git. I only haven't released it
myself because I have a higher bar for making sure the test suite
passes and so forth for something that'll be used by a significant
chunk of the Cygwin user base, than for something that's only going to
be used by me.

Adam
Your local friendly Git package maintainer

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Question on CVE-2018-11235
  2018-07-19 17:07 ` Adam Dinwoodie
@ 2018-07-20  8:51   ` Akihiko Kawaguchi
  0 siblings, 0 replies; 3+ messages in thread
From: Akihiko Kawaguchi @ 2018-07-20  8:51 UTC (permalink / raw)
  To: cygwin

Adam,

Thank you so much for your prompt reply, and your contribution to git
package maintenance.
I hope your personal life goes well.
I will check your advice.

Best Regards,
Kawaguchi

On Thu, 19 Jul 2018 13:38:51 +0100
Adam Dinwoodie <adam@dinwoodie.org> wrote:

> On Thu, 19 Jul 2018 at 08:56, Akihiko Kawaguchi wrote:
> > Hello,
> >
> > Does anyone know when git client package to fix the following
> > vulnerability will be released for Cygwin?
> >
> >     https://nvd.nist.gov/vuln/detail/CVE-2018-11235
> >
> > Currently, all the versions I can choose on Cygwin installer are
> > 2.16.1-1, 2.16.2-1 or 2.17.0-1.
> 
> I'm afraid personal life has got in the way of me producing a more
> up-to-date version of Git since the versions you've found. I'll
> produce a new release when I get the chance, but I don't want to
> commit to any particular dates at this point.
> 
> In the meantime, I'd suggest either not cloning untrusted repositories
> while using the `--recurse-submodules` option (or, as general security
> practice, not cloning untrusted repositories at all), or compiling Git
> locally yourself.
> 
> As a general point, if people want to compile Git themselves, it's
> normally straightforward, either using the upstream Git sources, or
> using the Cygport packaging sources from
> https://github.com/me-and/Cygwin-Git. I only haven't released it
> myself because I have a higher bar for making sure the test suite
> passes and so forth for something that'll be used by a significant
> chunk of the Cygwin user base, than for something that's only going to
> be used by me.
> 
> Adam
> Your local friendly Git package maintainer
> 
> --
> Problem reports:       http://cygwin.com/problems.html
> FAQ:                   http://cygwin.com/faq/
> Documentation:         http://cygwin.com/docs.html
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2018-07-20  3:03 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-07-19 15:20 Question on CVE-2018-11235 Akihiko Kawaguchi
2018-07-19 17:07 ` Adam Dinwoodie
2018-07-20  8:51   ` Akihiko Kawaguchi

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).