thodg/libgit2

Browse

Commit 78daf00baa3b77c1b09f57f52306c267769faaa1

Patrick Steinhardt 2018-05-29T14:05:10

CHANGELOG: update for v0.27.1 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ba0cb4e..c2b5071 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,13 +1,17 @@
-v0.27 + 1
+v0.27.1
 ---------
 
-### Changes or improvements
+This is a security release fixing insufficient validation of submodule names
+(CVE-2018-11235, reported by Etienne Stalmans).
 
-### API additions
+While submodule names come from the untrusted ".gitmodules" file, we blindly
+append the name to "$GIT_DIR/modules" to construct the final path of the
+submodule repository. In case the name contains e.g. "../", an adversary would
+be able to escape your repository and write data at arbitrary paths. In
+accordance with git, we now enforce some rules for submodule names which will
+cause libgit2 to ignore these melicious names.
 
-### API removals
-
-### Breaking API changes
+libgit2 is not susceptible to CVE-2018-11233.
 
 v0.27
 ---------
kmx.io     mail     discord kmxgit v0.4.0