Eclipse JGit: Java implementation of Git 4.11.4

Notice: Some of the services that support the smooth operation of our websites are still in the process of being restored. As a result, certain features—such as images and committer paperwork—may be temporarily unavailable. Our team is actively working to resolve these issues and restore full functionality as soon as possible.

Thank you for your patience and understanding.

Bug Fixes

CVE-2018-17456

Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.

JGit itself is not affected by this vulnerability. This release implements validation of .gitmodules files in JGit to protect unguarded tools.

BaseReceivePack: Validate incoming .gitmodules files and reject submodule urls starting with '-' that could pass as options to an unguarded tool
ObjectChecker: Report .gitmodules files found in the pack
SubmoduleAddCommand: Reject submodule URIs that look like command line options

Build and Release Engineering

Fix configuration of maven-javadoc-plugin

Release Date

Saturday, October 6, 2018 - 12:00

Release Type

Service release (bug fixes only)

Back to the top