Re: Question on CVE-2018-11235
- Date: Fri, 20 Jul 2018 12:02:57 +0900
- From: Akihiko Kawaguchi <a@xxxxxx>
- Subject: Re: Question on CVE-2018-11235
Thank you so much for your prompt reply, and your contribution to git
I hope your personal life goes well.
I will check your advice.
On Thu, 19 Jul 2018 13:38:51 +0100
Adam Dinwoodie <adam@xxxxxxxxxxxxx> wrote:
> On Thu, 19 Jul 2018 at 08:56, Akihiko Kawaguchi wrote:
> > Hello,
> > Does anyone know when git client package to fix the following
> > vulnerability will be released for Cygwin?
> > https://nvd.nist.gov/vuln/detail/CVE-2018-11235
> > Currently, all the versions I can choose on Cygwin installer are
> > 2.16.1-1, 2.16.2-1 or 2.17.0-1.
> I'm afraid personal life has got in the way of me producing a more
> up-to-date version of Git since the versions you've found. I'll
> produce a new release when I get the chance, but I don't want to
> commit to any particular dates at this point.
> In the meantime, I'd suggest either not cloning untrusted repositories
> while using the `--recurse-submodules` option (or, as general security
> practice, not cloning untrusted repositories at all), or compiling Git
> locally yourself.
> As a general point, if people want to compile Git themselves, it's
> normally straightforward, either using the upstream Git sources, or
> using the Cygport packaging sources from
> https://github.com/me-and/Cygwin-Git. I only haven't released it
> myself because I have a higher bar for making sure the test suite
> passes and so forth for something that'll be used by a significant
> chunk of the Cygwin user base, than for something that's only going to
> be used by me.
> Your local friendly Git package maintainer
> Problem reports: http://cygwin.com/problems.html
> FAQ: http://cygwin.com/faq/
> Documentation: http://cygwin.com/docs.html
> Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple