[jgit-dev] Security fix for CVE-2023-4759

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jgit-dev] Security fix for CVE-2023-4759

From: Matthias Sohn <matthias.sohn@xxxxxxxxx>
Date: Wed, 13 Sep 2023 00:41:44 +0200
Delivered-to: jgit-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jgit-dev/>
List-help: <mailto:jgit-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jgit-dev>, <mailto:jgit-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jgit-dev>, <mailto:jgit-dev-request@eclipse.org?subject=unsubscribe>

The vulnerability CVE-2023-4759 "Arbitrary File Overwrite in Eclipse JGit <= 6.6.0" 
was fixed in JGit and EGit 6.6.1.202309021850-r and 6.7.0.202309050840-r.

If you are using JGit with non-bare repositories on a case-insensitive filesystem you should update asap.
Setting core.symlinks=false in the global git config avoids the problem. 

Kudos to Ryota K for finding and reporting this issue.

P2 repository: https://download.eclipse.org/egit/updates
and https://download.eclipse.org/egit/updates-6.7
Maven central: https://repo1.maven.org/maven2/org/eclipse/jgit/

-Matthias

Prev by Date: [jgit-dev] [Announce] JGit and EGit release 6.7.0
Next by Date: [jgit-dev] Migration of JGit/EGit repositories to GerritHub on Oct 23
Previous by thread: [jgit-dev] [Announce] JGit and EGit release 6.7.0
Next by thread: [jgit-dev] Migration of JGit/EGit repositories to GerritHub on Oct 23
Index(es):
- Date
- Thread

Breadcrumbs