Important security update for Git and Mercurial (CVE-2014-9390)

Important security update for Git and Mercurial (CVE-2014-9390)

A critical client-side vulnerability was discovered for Git and Mercurial when used in an operating system with case-insensitive file system, such as Windows and OS X. All users are recommended to update their Git and Mercurial clients to the latest version.

Deveo Cloud and On-Premises release 2.5.1 has been upgraded to Git 2.2.1, which also allows preventing creation of such malicious trees on the server side. This can be configured by login over SSH to your Deveo installation and executing following commands as a deveo user. On clustered Deveo installations this configuration needs to be applied on every Web node.

git config --system --bool receive.fsckObjects true
git config --system --bool core.protectHFS true
git config --system --bool core.protectNTFS true

Beware that this server side prevention is a fairly expensive operation and enabling fsckObjects can degrade performance especially on large repositories. Updating to the latest Git (1.8.5.6, 1.9.5, 2.0.5, 2.1.4, 2.2.1) and Mercurial (3.2.3) client is the best way to protect against the vulnerability.

Seamless software development.

Code management and collaboration platform with Git, Subversion, and Mercurial.

Sign up for free
comments powered by Disqus