Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 456957

Summary: Update Git (and Gerrit?) on servers to include security fix (CVE-2014-9390)
Product: Community Reporter: David Williams <david_williams>
Component: GitAssignee: Eclipse Webmaster <webmaster>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: denis.roy
Version: unspecified   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Whiteboard:
Bug Depends on: 441011    
Bug Blocks:    

Description David Williams CLA 2015-01-07 14:01:51 EST 
This bug is simply to track the "server side" counter part to bug 456947. 

That is, even though Linux itself is not vulnerable to the bug, since Windows and Mac clients can connect to it, it is best of the server fix the issue too, according to original advisory at 

http://article.gmane.org/gmane.linux.kernel/1853266

Put another way,  even once "we" provide a "client fix", there is no guarantee that all users would update their client.  

Plus, from the fixes in JGit, described in 
https://projects.eclipse.org/projects/technology.egit/releases/3.4.2
it would seem to me that even Linux *might* be susceptible to some of the "unicode" type issues ... but, probably, that is simply a Java (and JGit and HFS) issue, and does not apply to Git itself?
Comment 1 Denis Roy CLA 2015-01-07 14:07:31 EST 
Bug 441011 will take care of this on the Gerrit side.  I'd like to upgrade Gerrit this quarter, since there is a considerable amount of new functionality available.
Comment 2 Denis Roy CLA 2015-01-13 16:37:51 EST 
I've created a git-2.2.1 rpm for SLES 11 x86_86 and put it in /shared/common

Tomorrow morning I'll upgrade some non-critical servers and test it out.  I'll end up deploying it to build.eclipse.org and lastly to git.eclipse.org
Comment 3 Denis Roy CLA 2015-01-28 16:40:33 EST 
dev2:~ # git --version
git version 2.3.0-rc0

All the "pure git" servers have been upgraded.