[openstack-dev] Git client vulnerability

Jeremy Stanley fungi at yuggoth.org
Fri Dec 19 16:46:17 UTC 2014


On 2014-12-19 13:34:06 +0000 (+0000), Louis Taylor wrote:
> On Fri, Dec 19, 2014 at 01:19:48PM +0000, Jeremy Stanley wrote:
> > Please re-read that advisory[1]. GitHub's _servers_ were not
> > affected as this is a client-side vulnerability. What GitHub did was
> > release fixed versions of their "GitHub for Windows" and "GitHub for
> > Mac" _client_ tools.
> 
> Github's servers were patched such that is is now not possible to host a
> malicious repository on github servers, and attempts to push one will be
> rejected. This is mentioned in the advisory.

Yes, thanks, I phrased that poorly. GitHub's servers were not
vulnerable, but you are correct that they have added some mitigation
within their service to help shield as-of-yet unpatched clients from
the announced vulnerability.
-- 
Jeremy Stanley



More information about the OpenStack-dev mailing list