Notice: This Wiki is now read only and edits are no longer possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Difference between revisions of "JGit/New and Noteworthy/3.6"
(→Fix for CVE-2014-9390) |
|||
Line 30: | Line 30: | ||
The patches fixing [http://article.gmane.org/gmane.linux.kernel/1853266 CVE-2014-9390] released in [https://dev.eclipse.org/mhonarc/lists/jgit-dev/msg02789.html JGit 3.4.2 and 3.5.3] are also included in 3.6.0. | The patches fixing [http://article.gmane.org/gmane.linux.kernel/1853266 CVE-2014-9390] released in [https://dev.eclipse.org/mhonarc/lists/jgit-dev/msg02789.html JGit 3.4.2 and 3.5.3] are also included in 3.6.0. | ||
− | As described in [https://developer.atlassian.com/blog/2014/12/securing-your-git-server/ Securing your Git server] native git has been enhanced by configuration parameters allowing to configure a git server to check all objects it receives against problematic pathes. A server running e.g. on Linux can be configured to check also for pathes problematic on HFS+ or NTFS. This is also possible for JGit based Git servers. JGit understands the boolean config parameters | + | As described in [https://developer.atlassian.com/blog/2014/12/securing-your-git-server/ Securing your Git server] native git has been enhanced by configuration parameters allowing to configure a git server to check all objects it receives against problematic pathes. A server running e.g. on Linux can be configured to check also for pathes problematic on HFS+ or NTFS. This is also possible for JGit based Git servers. JGit understands the boolean config parameters '''receive.fsckobjects''', '''fsck.safeForWindows''' and '''fsck.safeForMacOS'''. They match native git's '''receive.fsckobjects''', '''core.protectNTFS''', '''core.protectHFS'''. |
{| cellpadding="3" cellspacing="0" border="1" | {| cellpadding="3" cellspacing="0" border="1" | ||
− | ! | + | !git-core |
− | + | ||
!JGit | !JGit | ||
+ | !Description | ||
|- | |- | ||
+ | |colspan=2 style="text-align:center;"|'''receive.fsckobjects''' | ||
|enable checks when receiving objects | |enable checks when receiving objects | ||
− | |||
− | |||
|- | |- | ||
+ | |'''core.protectNTFS''' | ||
+ | |'''fsck.safeForWindows''' | ||
|check pathes problematic on NTFS | |check pathes problematic on NTFS | ||
− | |||
− | |||
|- | |- | ||
+ | |'''core.protectHFS''' | ||
+ | |'''fsck.safeForMacOS''' | ||
|check pathes problematic on HFS+ | |check pathes problematic on HFS+ | ||
− | |||
− | |||
|} | |} | ||
− | Enabling receive.fsckObjects makes JGit check the integrity of objects before a push is accepted, which is a pre-requisite for the other flags. The fsck.safeForMacOS and fsck.safeForWindows flags prevent the OS X and Windows vulnerabilities described above, respectively. Both default to true on their respective systems but will need to be enabled specifically on other platforms. Since clients could be using a different operating system to your server you should enable both on JGit based servers. | + | |
+ | Enabling '''receive.fsckObjects''' makes JGit check the integrity of objects before a push is accepted, which is a pre-requisite for the other flags. The '''fsck.safeForMacOS''' and '''fsck.safeForWindows''' flags prevent the OS X and Windows vulnerabilities described above, respectively. Both default to true on their respective systems but will need to be enabled specifically on other platforms. Since clients could be using a different operating system to your server you should enable both on JGit based servers. | ||
= Contributors = | = Contributors = |
Revision as of 07:02, 23 December 2014
Contents
JGit
Features
- Ignore rule parser was reimplemented to support ** wildcard patterns, negation rules and improve performance
- Add "aggressive" option to GC
- GarbageCollectCommand now supports DfsRepository
- Support for Submodule configuration submodule.<name>.ignore
- Support for new submodule repository layout (.git/modules of the super project contains the submodule repositories)
- InitCommand support for option "--separate-git-dir" to store .git meta data directory in a separate directory
- CloneCommand support to store .git meta data directory in a separate directory
- Permission bits for "executable" attribute are now set according to the umask on Posix/Java7
- BundleWriter now supports including HEAD in bundle
- New config parameter core.trustfolderstat
JGit Command Line
- Add option --bare to clone command
- Add options --heads and --tags to ls-remote command
Performance Improvements
- Reimplemented ignore rule parser to improve performance of ignore rule evaluation
- Enhance SubmoduleWalk with a fast check whether a repo contains submodules
Build and Release Engineering
- The java7 feature is now included in org.eclipse.jgit.feature
- Maven site generation for jgit
Bug Fixes
11 Bugs and 0 enhancement requests were closed
Fix for CVE-2014-9390
The patches fixing CVE-2014-9390 released in JGit 3.4.2 and 3.5.3 are also included in 3.6.0.
As described in Securing your Git server native git has been enhanced by configuration parameters allowing to configure a git server to check all objects it receives against problematic pathes. A server running e.g. on Linux can be configured to check also for pathes problematic on HFS+ or NTFS. This is also possible for JGit based Git servers. JGit understands the boolean config parameters receive.fsckobjects, fsck.safeForWindows and fsck.safeForMacOS. They match native git's receive.fsckobjects, core.protectNTFS, core.protectHFS.
git-core | JGit | Description |
---|---|---|
receive.fsckobjects | enable checks when receiving objects | |
core.protectNTFS | fsck.safeForWindows | check pathes problematic on NTFS |
core.protectHFS | fsck.safeForMacOS | check pathes problematic on HFS+ |
Enabling receive.fsckObjects makes JGit check the integrity of objects before a push is accepted, which is a pre-requisite for the other flags. The fsck.safeForMacOS and fsck.safeForWindows flags prevent the OS X and Windows vulnerabilities described above, respectively. Both default to true on their respective systems but will need to be enabled specifically on other platforms. Since clients could be using a different operating system to your server you should enable both on JGit based servers.
Contributors
The following 11 developers worked on this release of JGit:
Andrey Loskutov, Axel Richard, Christian Halstrick, Dani Megert, Marc Strapetz, Matthias Sohn, Michael Keppler, Robin Stocker, Shawn Pearce, Stefan Beller, Yuxuan 'fishy' Wang