A critical client-side vulnerability was discovered for Git and Mercurial when used in an operating system with case-insensitive file system, such as Windows and OS X. All users are recommended to update their Git and Mercurial clients to the latest version.
Deveo Cloud and On-Premises release 2.5.1 has been upgraded to Git 2.2.1, which also allows preventing creation of such malicious trees on the server side. This can be configured by login over SSH to your Deveo installation and executing following commands as a deveo user. On clustered Deveo installations this configuration needs to be applied on every Web node.
git config --system --bool receive.fsckObjects true git config --system --bool core.protectHFS true git config --system --bool core.protectNTFS true
Beware that this server side prevention is a fairly expensive operation and enabling fsckObjects can degrade performance especially on large repositories. Updating to the latest Git (22.214.171.124, 1.9.5, 2.0.5, 2.1.4, 2.2.1) and Mercurial (3.2.3) client is the best way to protect against the vulnerability.