Critical Vulnerability in Git Clients as well as Any Software that interacts with Git RepositoriesMac and Windows Affected
Mac and Windows Affected
Ken Westin, Sr. Technical Marketing Manager and Security Analyst at Tripwire, explains the nature of the bug: “This vulnerability has serious implications for developers and other users of the popular Git client utilities. If a vulnerable Git client connects to a remote Git server that has a malicious Git tree, attackers can overwrite a configuration file and use remote code execution to compromise the system.” GitHub has released updated version for its GitHub for Windows and GitHub for Mac clients. You can update your respective clients by clicking on the respective hyperlinks. Both the updates patch the vulnerability on the client systems, including the desktop application and the command-line counterpart. Linux systems however, have a chance of staying safe, but only as long as they are using case-sensitive file systems. In addition to the download packages for Windows and Mac, GitHub has released a set of new maintenance releases (v1.8.5.6, v1.9.5, v2.0.5, and v2.1.4) that all patch the vulnerability. The two major Git libraries, libgit2 and JGit, have also released new releases incorporating the fix. This includes Visual Studio, a service which allows developers to build and store their projects in the cloud and connects to Eclipse, Xcode, and other Git clients. It is recommended that any third-party software that makes use of the libraries implement the fix and update as soon as possible.
