Documentation/RelNotes/2.13.7.txt - jrn/git - Git at Google

 Git v2.13.7 Release Notes
 =========================

 Fixes since v2.13.6
 -------------------

  * Submodule "names" come from the untrusted .gitmodules file, but we
    blindly append them to $GIT_DIR/modules to create our on-disk repo
    paths. This means you can do bad things by putting "../" into the
    name. We now enforce some rules for submodule names which will cause
    Git to ignore these malicious names (CVE-2018-11235).

    Credit for finding this vulnerability and the proof of concept from
    which the test script was adapted goes to Etienne Stalmans.

  * It was possible to trick the code that sanity-checks paths on NTFS
    into reading random piece of memory (CVE-2018-11233).

 Credit for fixing for these bugs goes to Jeff King, Johannes
 Schindelin and others.
	Git v2.13.7 Release Notes
	=========================

	Fixes since v2.13.6
	-------------------

	* Submodule "names" come from the untrusted .gitmodules file, but we
	blindly append them to $GIT_DIR/modules to create our on-disk repo
	paths. This means you can do bad things by putting "../" into the
	name. We now enforce some rules for submodule names which will cause
	Git to ignore these malicious names (CVE-2018-11235).

	Credit for finding this vulnerability and the proof of concept from
	which the test script was adapted goes to Etienne Stalmans.

	* It was possible to trick the code that sanity-checks paths on NTFS
	into reading random piece of memory (CVE-2018-11233).

	Credit for fixing for these bugs goes to Jeff King, Johannes
	Schindelin and others.