[epp-dev] FYI: Luna SR1a - JGit client vulnerability in Eclipse (CVE-201

[Markus Knauer <mknauer@xxxxxxxxxxxxxxxxx>]

Hi all (and a Happy New Year to everyone!)

Some days before Christmas a discussion about a Git vulnerability [1] had been started on the Committers mailing list [2]. Fortunately the JGit team was extremely responsive and had a fix available shortly after. Since then the issue has been discussed in the Planning Council call this week [3] and in many mails. Others have already updated their products (e.g. Gerrit 2.9.4 and most Linux distros), or are in the process of updating (e.g. Netbeans nightly builds).

In order to address this issue as quick as possible and as smooth as possible for our users, I've created updated Luna SR1a packages that contain the updated JGit/EGit 3.4.2. This build is based on an updated p2 repository that David created yesterday. The plan is to roll out the packages and the updated p2 repositories on Monday.

All details and the progress is documented in this bug:

Bug 456947 - JGit client vulnerability in Eclipse (CVE-2014-9390)
https://bugs.eclipse.org/bugs/show_bug.cgi?id=456947

Luna SR1a build:
https://hudson.eclipse.org/packaging/job/luna.epp-tycho-build/226/

Luna SR1a p2 update test repositories:

http://download.eclipse.org/releases/luna/201501121000/
http://download.eclipse.org/technology/epp/packages/luna/SR1a/

Thanks and regards,
Markus


[1] https://github.com/blog/1938-vulnerability-announced-update-your-git-clients
[2] http://dev.eclipse.org/mhonarc/lists/eclipse.org-committers/msg01023.html
[3] https://wiki.eclipse.org/Planning_Council/January_07_2015