Re: [ANNOUNCE] Git v2.12.3 and others

From: Jonathan Nieder
Date: Tue May 09 2017 - 20:38:33 EST

Junio C Hamano wrote:

> Maintenance releases Git v2.4.12, v2.5.6, v2.6.7, v2.7.5, v2.8.5,
> v2.9.4, v2.10.3, v2.11.2, and v2.12.3 have been tagged and are now
> available at the usual places.
> These are primarily to fix a recently disclosed problem with "git
> shell", which may allow a user who comes over SSH to run an
> interactive pager by causing it to spawn "git upload-pack --help"
> (CVE-2017-8386). Some (like v2.12.3) have other fixes that have
> been accumulating included as well.
> "git-shell" is a restricted login shell that can be used on a server
> to prevent SSH clients from running any programs except those needed
> for git fetches and pushes. If you are not running a server, or if
> your server has not been explicitly configured to use git-shell as a
> login shell, you are not affected. Also note that sites running "git
> shell" behind gitolite are NOT vulnerable.

Thanks. Credit for discovering this bug goes to Timo Schmid, ERNW GmbH.
They will probably have a blog post soon with more details.

1.6.1 is the earliest git version affected (so this goes back pretty

> The tarballs are found at:
> The following public repositories all have a copy of these tags:
> url =
> url = git://
> url = git://
> url = git://
> url =