Junio C Hamano wrote: > Maintenance releases Git v2.4.12, v2.5.6, v2.6.7, v2.7.5, v2.8.5, > v2.9.4, v2.10.3, v2.11.2, and v2.12.3 have been tagged and are now > available at the usual places. > > These are primarily to fix a recently disclosed problem with "git > shell", which may allow a user who comes over SSH to run an > interactive pager by causing it to spawn "git upload-pack --help" > (CVE-2017-8386). Some (like v2.12.3) have other fixes that have > been accumulating included as well. > > "git-shell" is a restricted login shell that can be used on a server > to prevent SSH clients from running any programs except those needed > for git fetches and pushes. If you are not running a server, or if > your server has not been explicitly configured to use git-shell as a > login shell, you are not affected. Also note that sites running "git > shell" behind gitolite are NOT vulnerable. Thanks. Credit for discovering this bug goes to Timo Schmid, ERNW GmbH. They will probably have a blog post soon with more details. 1.6.1 is the earliest git version affected (so this goes back pretty far). > The tarballs are found at: > > https://www.kernel.org/pub/software/scm/git/ > > The following public repositories all have a copy of these tags: > > url = https://kernel.googlesource.com/pub/scm/git/git > url = git://repo.or.cz/alt-git.git > url = git://git.sourceforge.jp/gitroot/git-core/git.git > url = git://git-core.git.sourceforge.net/gitroot/git-core/git-core > url = https://github.com/gitster/git Sincerely, Jonathan