Accepted git-annex 6.20170101-1+deb9u2 (source) into proposed-updates->stable-new, proposed-updates
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 22 Jun 2018 16:42:37 +0100
Source: git-annex
Binary: git-annex
Architecture: source
Version: 6.20170101-1+deb9u2
Distribution: stretch
Urgency: high
Maintainer: Richard Hartmann <richih@debian.org>
Changed-By: Sean Whitton <spwhitton@spwhitton.name>
Description:
git-annex - manage files with git, without checking their contents into git
Closes: 873088
Changes:
git-annex (6.20170101-1+deb9u2) stretch; urgency=high
.
[ Joey Hess ]
* CVE-2018-10857:
- Added annex.security.allowed-url-schemes setting, which defaults
to only allowing http, https, and ftp URLs. Note especially that file:/
is no longer enabled by default.
- Removed annex.web-download-command, since its interface does not allow
supporting annex.security.allowed-url-schemes across redirects.
If you used this setting, you may want to instead use annex.web-options
to pass options to curl.
- git-annex will refuse to download content from the web, to prevent
accidental exposure of data on private webservers on localhost and the
LAN. This can be overridden with the
annex.security.allowed-http-addresses setting.
(The S3, glacier, and webdav special remotes are still allowed to
download from the web.)
* CVE-2018-10857 and CVE-2018-10859:
- Refuse to download content, that cannot be verified with a hash,
from encrypted special remotes (for CVE-2018-10859),
and from all external special remotes (for CVE-2018-10857).
In particular, URL and WORM keys stored on such remotes won't
be downloaded. If this affects your files, you can run
`git-annex migrate` on the affected files, to convert them
to use a hash.
- Added annex.security.allow-unverified-downloads, which can override
the above.
.
git-annex (6.20170101-1+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2017-12976: git-annex before 6.20170818 allows remote attackers to
execute arbitrary commands via an ssh URL with an initial dash
character in the hostname, as demonstrated by an ssh://-eProxyCommand=
URL (Closes: #873088)
Checksums-Sha1:
440c1251fbe20dbf443c6df5fe751ca44aab2887 5240 git-annex_6.20170101-1+deb9u2.dsc
2645dcd551cc00c03a293187953445c506d17cd4 88536 git-annex_6.20170101-1+deb9u2.debian.tar.xz
Checksums-Sha256:
d485b213f7596fae899917671b7a78a9e0535b22a7cac51748c4e5842556aca2 5240 git-annex_6.20170101-1+deb9u2.dsc
b7e9d0160a782c1b2a97e559e88c21189281cd460fb41cc8217e7e76251877a1 88536 git-annex_6.20170101-1+deb9u2.debian.tar.xz
Files:
75bec588ccb2a7d3d46ae77032467477 5240 utils optional git-annex_6.20170101-1+deb9u2.dsc
54bbb6bbb30144bd55aa37a886accb43 88536 utils optional git-annex_6.20170101-1+deb9u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAls+kLMACgkQaVt65L8G
YkBjJRAAsfhrRk1ATOTvhv/6rufv7tM+TbTBsU8yBmdT+TEAz3vHs6KpIR8XNSXn
VI2OOTRIXjHQm62cfNSPle4MHL6b6N1hSUWq9YJxoYm0gi/fay4CrLjvpDZIulve
vaVvU3/m4s8p6YeiEekdd0JxWB+BdA0N4JaWLA5bkIEjBT/CAcMm5dJ1shNXPkph
NpBbVyOVtNN224Z5wnXYyteFOnrunz1CaqXgkSzrdo0HppwNMjEK00xKgTcDcOHG
ZIzwINmSjzO7PiQI0Lngu9MAuOrLxRQeyhFpc77XmMjDcZP8db2a1p2tkTPQEWXA
A3ouHa715vj/bFtTsavcmJKagGuXjJOcIOIhK3okJCOoTdVEWfdyTV6pMDuLQqQv
yK3CiIHawTQcpfsEzZSTRF1+LlOI4i3z9Qu6p50yuK2nCowVLNal0lVbtKfAIuhx
W4I03iB3OQ5ifSlTC8XWKTeKPE4JBmA2tOmskl7naSPR1fD0E9qyn5n9Pe1Amwl+
ttPgu038opQj1t//e49vSmwvNCpdTvSNIfST3UZY7XevhH/2xFCWDDT21R9NtMnx
+knn8T0PAU6uHCDcNwvg2ILL0WGk3dGjUyTbHEPybNX7ZqFkxS1tRxo5d6T+gNBF
XHrxIslJkrRcjVKs6iPeFeNERljKrbmuOe4nb/uNu30zIMsph0E=
=+jvY
-----END PGP SIGNATURE-----