Register | Log in

jgit

Choose email to subscribe with

general

source: jgit (main)
version: 6.7.0-2
maintainer: Debian Java Maintainers (archive) (DMD)
uploaders: Jakub Adam [DMD]
arch: all
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 3.7.1-6
oldstable: 4.11.9-1
stable: 4.11.9-2
testing: 6.7.0-2
unstable: 6.7.0-2

versioned links

3.7.1-6: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.11.9-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.11.9-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.7.0-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

jgit-cli
libjgit-ant-java
libjgit-java

action needed

2 security issues in bookworm high

There are 2 open security issues in bookworm.

1 important issue:

CVE-2025-4949: In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.

1 ignored issue:

CVE-2023-4759: Arbitrary File Overwrite in Eclipse JGit <= 6.6.0 In Eclipse JGit, all versions <= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem. This can happen on checkout (DirCacheCheckout), merge (ResolveMerger via its WorkingTreeUpdater), pull (PullCommand using merge), and when applying a patch (PatchApplier). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command. The issue occurs only on case-insensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration. Setting git configuration option core.symlinks = false before checking out avoids the problem. The issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via Maven Central https://repo1.maven.org/maven2/org/eclipse/jgit/ and repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit-releases/ . A backport is available in 5.13.3 starting from 5.13.3.202401111512-r. The JGit maintainers would like to thank RyotaK for finding and reporting this issue.

Created: 2023-09-12 Last update: 2025-05-22 17:30

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2025-4949: In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.

Created: 2025-05-22 Last update: 2025-05-22 17:30

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2025-4949: In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.

Created: 2025-05-22 Last update: 2025-05-22 17:30

2 security issues in bullseye high

There are 2 open security issues in bullseye.

1 important issue:

CVE-2025-4949: In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.

1 issue postponed or untriaged:

CVE-2023-4759: (needs triaging) Arbitrary File Overwrite in Eclipse JGit <= 6.6.0 In Eclipse JGit, all versions <= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem. This can happen on checkout (DirCacheCheckout), merge (ResolveMerger via its WorkingTreeUpdater), pull (PullCommand using merge), and when applying a patch (PatchApplier). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command. The issue occurs only on case-insensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration. Setting git configuration option core.symlinks = false before checking out avoids the problem. The issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via Maven Central https://repo1.maven.org/maven2/org/eclipse/jgit/ and repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit-releases/ . A backport is available in 5.13.3 starting from 5.13.3.202401111512-r. The JGit maintainers would like to thank RyotaK for finding and reporting this issue.

Created: 2025-05-22 Last update: 2025-05-22 17:30

debian/patches: 2 patches to forward upstream low

Among the 5 debian patches available in version 6.7.0-2 of the package, we noticed the following issues:

2 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2024-07-14 23:14

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.7.0).

Created: 2025-02-21 Last update: 2025-02-27 13:24

news

[2024-07-19] jgit 6.7.0-2 MIGRATED to testing (Debian testing watch)
[2024-07-14] Accepted jgit 6.7.0-2 (source) into unstable (Emmanuel Bourg)
[2024-05-19] jgit 6.7.0-1 MIGRATED to testing (Debian testing watch)
[2024-05-13] Accepted jgit 6.7.0-1 (source) into unstable (Pierre Gruet)
[2023-01-28] jgit 4.11.9-2 MIGRATED to testing (Debian testing watch)
[2023-01-22] Accepted jgit 4.11.9-2 (source) into unstable (Pierre Gruet)
[2021-02-07] jgit 4.11.9-1 MIGRATED to testing (Debian testing watch)
[2021-02-01] Accepted jgit 4.11.9-1 (source) into unstable (Emmanuel Bourg)
[2021-01-31] Accepted jgit 4.1.2-1 (source) into unstable (Emmanuel Bourg)
[2018-10-22] jgit 3.7.1-6 MIGRATED to testing (Debian testing watch)
[2018-10-17] Accepted jgit 3.7.1-6 (source) into unstable (Emmanuel Bourg)
[2018-08-15] Accepted jgit 3.7.1-5 (source) into unstable (Emmanuel Bourg)
[2018-04-28] jgit REMOVED from testing (Debian testing watch)
[2016-06-30] jgit 3.7.1-4 MIGRATED to testing (Debian testing watch)
[2016-06-24] Accepted jgit 3.7.1-4 (source all) into unstable (Emmanuel Bourg)
[2016-06-22] Accepted jgit 3.7.1-3 (source all) into unstable (Emmanuel Bourg)
[2016-03-01] jgit 3.7.1-2 MIGRATED to testing (Debian testing watch)
[2016-02-24] Accepted jgit 3.7.1-2 (source all) into unstable (Markus Koschany)
[2015-09-28] jgit 3.7.1-1 MIGRATED to testing (Britney)
[2015-09-22] Accepted jgit 3.7.1-1 (source all) into unstable (Emmanuel Bourg)
[2015-05-10] jgit 3.7.0-1 MIGRATED to testing (Britney)
[2015-05-05] Accepted jgit 3.7.0-1 (source all) into unstable (Jakub Adam) (signed by: tony mancill)
[2014-09-25] jgit 3.4.0-2 MIGRATED to testing (Britney)
[2014-09-19] Accepted jgit 3.4.0-2 (source all) into unstable (Jakub Adam) (signed by: Emmanuel Bourg)
[2014-06-28] jgit 3.4.0-1 MIGRATED to testing (Debian testing watch)
[2014-06-22] Accepted jgit 3.4.0-1 (source all) (Jakub Adam) (signed by: tony mancill)
[2014-05-20] jgit 3.3.2-1 MIGRATED to testing (Debian testing watch)
[2014-05-15] Accepted jgit 3.3.2-1 (source all) (Emmanuel Bourg) (signed by: tony mancill)
[2014-04-01] jgit 3.3.1-1 MIGRATED to testing (Debian testing watch)
[2014-03-27] Accepted jgit 3.3.1-1 (source all) (Jakub Adam) (signed by: tony mancill)

1
2

bugs [bug history graph]

all: 1
RC: 0
I&N: 1
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 6.7.0-2

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing