-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 22 Jun 2018 16:42:37 +0100 Source: git-annex Binary: git-annex Architecture: source Version: 6.20170101-1+deb9u2 Distribution: stretch Urgency: high Maintainer: Richard Hartmann <richih@debian.org> Changed-By: Sean Whitton <spwhitton@spwhitton.name> Description: git-annex - manage files with git, without checking their contents into git Closes: 873088 Changes: git-annex (6.20170101-1+deb9u2) stretch; urgency=high . [ Joey Hess ] * CVE-2018-10857: - Added annex.security.allowed-url-schemes setting, which defaults to only allowing http, https, and ftp URLs. Note especially that file:/ is no longer enabled by default. - Removed annex.web-download-command, since its interface does not allow supporting annex.security.allowed-url-schemes across redirects. If you used this setting, you may want to instead use annex.web-options to pass options to curl. - git-annex will refuse to download content from the web, to prevent accidental exposure of data on private webservers on localhost and the LAN. This can be overridden with the annex.security.allowed-http-addresses setting. (The S3, glacier, and webdav special remotes are still allowed to download from the web.) * CVE-2018-10857 and CVE-2018-10859: - Refuse to download content, that cannot be verified with a hash, from encrypted special remotes (for CVE-2018-10859), and from all external special remotes (for CVE-2018-10857). In particular, URL and WORM keys stored on such remotes won't be downloaded. If this affects your files, you can run `git-annex migrate` on the affected files, to convert them to use a hash. - Added annex.security.allow-unverified-downloads, which can override the above. . git-annex (6.20170101-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-12976: git-annex before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand= URL (Closes: #873088) Checksums-Sha1: 440c1251fbe20dbf443c6df5fe751ca44aab2887 5240 git-annex_6.20170101-1+deb9u2.dsc 2645dcd551cc00c03a293187953445c506d17cd4 88536 git-annex_6.20170101-1+deb9u2.debian.tar.xz Checksums-Sha256: d485b213f7596fae899917671b7a78a9e0535b22a7cac51748c4e5842556aca2 5240 git-annex_6.20170101-1+deb9u2.dsc b7e9d0160a782c1b2a97e559e88c21189281cd460fb41cc8217e7e76251877a1 88536 git-annex_6.20170101-1+deb9u2.debian.tar.xz Files: 75bec588ccb2a7d3d46ae77032467477 5240 utils optional git-annex_6.20170101-1+deb9u2.dsc 54bbb6bbb30144bd55aa37a886accb43 88536 utils optional git-annex_6.20170101-1+deb9u2.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAls+kLMACgkQaVt65L8G YkBjJRAAsfhrRk1ATOTvhv/6rufv7tM+TbTBsU8yBmdT+TEAz3vHs6KpIR8XNSXn VI2OOTRIXjHQm62cfNSPle4MHL6b6N1hSUWq9YJxoYm0gi/fay4CrLjvpDZIulve vaVvU3/m4s8p6YeiEekdd0JxWB+BdA0N4JaWLA5bkIEjBT/CAcMm5dJ1shNXPkph NpBbVyOVtNN224Z5wnXYyteFOnrunz1CaqXgkSzrdo0HppwNMjEK00xKgTcDcOHG ZIzwINmSjzO7PiQI0Lngu9MAuOrLxRQeyhFpc77XmMjDcZP8db2a1p2tkTPQEWXA A3ouHa715vj/bFtTsavcmJKagGuXjJOcIOIhK3okJCOoTdVEWfdyTV6pMDuLQqQv yK3CiIHawTQcpfsEzZSTRF1+LlOI4i3z9Qu6p50yuK2nCowVLNal0lVbtKfAIuhx W4I03iB3OQ5ifSlTC8XWKTeKPE4JBmA2tOmskl7naSPR1fD0E9qyn5n9Pe1Amwl+ ttPgu038opQj1t//e49vSmwvNCpdTvSNIfST3UZY7XevhH/2xFCWDDT21R9NtMnx +knn8T0PAU6uHCDcNwvg2ILL0WGk3dGjUyTbHEPybNX7ZqFkxS1tRxo5d6T+gNBF XHrxIslJkrRcjVKs6iPeFeNERljKrbmuOe4nb/uNu30zIMsph0E= =+jvY -----END PGP SIGNATURE-----