Documentation/RelNotes/2.20.2.txt - jrn/git - Git at Google

 Git v2.20.2 Release Notes
 =========================

 This release merges up the fixes that appear in v2.14.6, v2.15.4
 and in v2.17.3, addressing the security issues CVE-2019-1348,
 CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352,
 CVE-2019-1353, CVE-2019-1354, and CVE-2019-1387; see the release notes
 for those versions for details.

 The change to disallow `submodule.<name>.update=!command` entries in
 `.gitmodules` which was introduced v2.15.4 (and for which v2.17.3
 added explicit fsck checks) fixes the vulnerability in v2.20.x where a
 recursive clone followed by a submodule update could execute code
 contained within the repository without the user explicitly having
 asked for that (CVE-2019-19604).

 Credit for finding this vulnerability goes to Joern Schneeweisz,
 credit for the fixes goes to Jonathan Nieder.
	Git v2.20.2 Release Notes
	=========================

	This release merges up the fixes that appear in v2.14.6, v2.15.4
	and in v2.17.3, addressing the security issues CVE-2019-1348,
	CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352,
	CVE-2019-1353, CVE-2019-1354, and CVE-2019-1387; see the release notes
	for those versions for details.

	The change to disallow `submodule.<name>.update=!command` entries in
	`.gitmodules` which was introduced v2.15.4 (and for which v2.17.3
	added explicit fsck checks) fixes the vulnerability in v2.20.x where a
	recursive clone followed by a submodule update could execute code
	contained within the repository without the user explicitly having
	asked for that (CVE-2019-19604).

	Credit for finding this vulnerability goes to Joern Schneeweisz,
	credit for the fixes goes to Jonathan Nieder.