Back to git-annex PTS page

Accepted git-annex 6.20170101-1+deb9u2 (source) into proposed-updates->stable-new, proposed-updates



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 22 Jun 2018 16:42:37 +0100
Source: git-annex
Binary: git-annex
Architecture: source
Version: 6.20170101-1+deb9u2
Distribution: stretch
Urgency: high
Maintainer: Richard Hartmann <richih@debian.org>
Changed-By: Sean Whitton <spwhitton@spwhitton.name>
Description:
 git-annex  - manage files with git, without checking their contents into git
Closes: 873088
Changes:
 git-annex (6.20170101-1+deb9u2) stretch; urgency=high
 .
   [ Joey Hess ]
   * CVE-2018-10857:
     - Added annex.security.allowed-url-schemes setting, which defaults
       to only allowing http, https, and ftp URLs. Note especially that file:/
       is no longer enabled by default.
     - Removed annex.web-download-command, since its interface does not allow
       supporting annex.security.allowed-url-schemes across redirects.
       If you used this setting, you may want to instead use annex.web-options
       to pass options to curl.
     - git-annex will refuse to download content from the web, to prevent
       accidental exposure of data on private webservers on localhost and the
       LAN. This can be overridden with the
       annex.security.allowed-http-addresses setting.
       (The S3, glacier, and webdav special remotes are still allowed to
       download from the web.)
   * CVE-2018-10857 and CVE-2018-10859:
     - Refuse to download content, that cannot be verified with a hash,
       from encrypted special remotes (for CVE-2018-10859),
       and from all external special remotes (for CVE-2018-10857).
       In particular, URL and WORM keys stored on such remotes won't
       be downloaded. If this affects your files, you can run
       `git-annex migrate` on the affected files, to convert them
       to use a hash.
     - Added annex.security.allow-unverified-downloads, which can override
       the above.
 .
 git-annex (6.20170101-1+deb9u1) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2017-12976: git-annex before 6.20170818 allows remote attackers to
     execute arbitrary commands via an ssh URL with an initial dash
     character in the hostname, as demonstrated by an ssh://-eProxyCommand=
     URL (Closes: #873088)
Checksums-Sha1:
 440c1251fbe20dbf443c6df5fe751ca44aab2887 5240 git-annex_6.20170101-1+deb9u2.dsc
 2645dcd551cc00c03a293187953445c506d17cd4 88536 git-annex_6.20170101-1+deb9u2.debian.tar.xz
Checksums-Sha256:
 d485b213f7596fae899917671b7a78a9e0535b22a7cac51748c4e5842556aca2 5240 git-annex_6.20170101-1+deb9u2.dsc
 b7e9d0160a782c1b2a97e559e88c21189281cd460fb41cc8217e7e76251877a1 88536 git-annex_6.20170101-1+deb9u2.debian.tar.xz
Files:
 75bec588ccb2a7d3d46ae77032467477 5240 utils optional git-annex_6.20170101-1+deb9u2.dsc
 54bbb6bbb30144bd55aa37a886accb43 88536 utils optional git-annex_6.20170101-1+deb9u2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAls+kLMACgkQaVt65L8G
YkBjJRAAsfhrRk1ATOTvhv/6rufv7tM+TbTBsU8yBmdT+TEAz3vHs6KpIR8XNSXn
VI2OOTRIXjHQm62cfNSPle4MHL6b6N1hSUWq9YJxoYm0gi/fay4CrLjvpDZIulve
vaVvU3/m4s8p6YeiEekdd0JxWB+BdA0N4JaWLA5bkIEjBT/CAcMm5dJ1shNXPkph
NpBbVyOVtNN224Z5wnXYyteFOnrunz1CaqXgkSzrdo0HppwNMjEK00xKgTcDcOHG
ZIzwINmSjzO7PiQI0Lngu9MAuOrLxRQeyhFpc77XmMjDcZP8db2a1p2tkTPQEWXA
A3ouHa715vj/bFtTsavcmJKagGuXjJOcIOIhK3okJCOoTdVEWfdyTV6pMDuLQqQv
yK3CiIHawTQcpfsEzZSTRF1+LlOI4i3z9Qu6p50yuK2nCowVLNal0lVbtKfAIuhx
W4I03iB3OQ5ifSlTC8XWKTeKPE4JBmA2tOmskl7naSPR1fD0E9qyn5n9Pe1Amwl+
ttPgu038opQj1t//e49vSmwvNCpdTvSNIfST3UZY7XevhH/2xFCWDDT21R9NtMnx
+knn8T0PAU6uHCDcNwvg2ILL0WGk3dGjUyTbHEPybNX7ZqFkxS1tRxo5d6T+gNBF
XHrxIslJkrRcjVKs6iPeFeNERljKrbmuOe4nb/uNu30zIMsph0E=
=+jvY
-----END PGP SIGNATURE-----