The latest maintenance release Git v2.2.1 is now available at
the usual places.
This is a security-fix for CVE-2014-9390, which affects users on
Windows and Mac OS X but not typical UNIX users. A set of new
releases for older maintenance tracks (v1.8.5.6, v1.9.5, v2.0.5, and
v2.1.4) are published at the same time and they contain the same fix.
Various implementations and ports, including Git for Windows, Git OS
X installer, JGit & EGit, libgit2 (and Visual Studio which uses it)
have been updated at the same time.
Even though the issue may not affect Linux users, if you are a
hosting service whose users may fetch from your service to Windows
or Mac OS X machines, you are strongly encouraged to update to
protect such users who use existing versions of Git.
The tarballs are found at:
https://www.kernel.org/pub/software/scm/git/
The following public repositories all have a copy of the 'v2.2.1'
tag and the 'maint' branch that the tag points at:
url = https://kernel.googlesource.com/pub/scm/git/git
url = git://repo.or.cz/alt-git.git
url = https://code.google.com/p/git-core/
url = git://git.sourceforge.jp/gitroot/git-core/git.git
url = git://git-core.git.sourceforge.net/gitroot/git-core/git-core
url = https://github.com/gitster/git
Git v2.2.1 Release Notes
========================
Fixes since v2.2
----------------
* We used to allow committing a path ".Git/config" with Git that is
running on a case sensitive filesystem, but an attempt to check out
such a path with Git that runs on a case insensitive filesystem
would have clobbered ".git/config", which is definitely not what
the user would have expected. Git now prevents you from tracking
a path with ".Git" (in any case combination) as a path component.
* On Windows, certain path components that are different from ".git"
are mapped to ".git", e.g. "git~1/config" is treated as if it were
".git/config". HFS+ has a similar issue, where certain unicode
codepoints are ignored, e.g. ".g\u200cit/config" is treated as if
it were ".git/config". Pathnames with these potential issues are
rejected on the affected systems. Git on systems that are not
affected by this issue (e.g. Linux) can also be configured to
reject them to ensure cross platform interoperability of the hosted
projects.
* "git fsck" notices a tree object that records such a path that can
be confused with ".git", and with receive.fsckObjects configuration
set to true, an attempt to "git push" such a tree object will be
rejected. Such a path may not be a problem on some filesystems
but in order to protect those on HFS+ and on case insensitive
filesystems, this check is enabled on all platforms.
A big "thanks!" for bringing this issue to us goes to our friends in
the Mercurial land, namely, Matt Mackall and Augie Fackler.
Also contains typofixes, documentation updates and trivial code clean-ups.
----------------------------------------------------------------
Changes since v2.2.0 are as follows:
Hartmut Henkel (1):
l10n: de.po: fix typos
Jeff King (8):
unpack-trees: propagate errors adding entries to the index
read-tree: add tests for confusing paths like ".." and ".git"
verify_dotfile(): reject .git case-insensitively
t1450: refactor ".", "..", and ".git" fsck tests
fsck: notice .git case-insensitively
utf8: add is_hfs_dotgit() helper
read-cache: optionally disallow HFS+ .git variants
fsck: complain about HFS+ ".git" aliases in trees
Johannes Schindelin (3):
path: add is_ntfs_dotgit() helper
read-cache: optionally disallow NTFS .git variants
fsck: complain about NTFS ".git" aliases in trees
Junio C Hamano (6):
Start post 2.2 cycle
Git 1.8.5.6
Git 1.9.5
Git 2.0.5
Git 2.1.4
Git 2.2.1
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html