Documentation / RelNotes / 2.13.7.txton commit Merge branch 'sb/submodule-update-in-c' (4d6d6ef)
   1Git v2.13.7 Release Notes
   2=========================
   3
   4Fixes since v2.13.6
   5-------------------
   6
   7 * Submodule "names" come from the untrusted .gitmodules file, but we
   8   blindly append them to $GIT_DIR/modules to create our on-disk repo
   9   paths. This means you can do bad things by putting "../" into the
  10   name. We now enforce some rules for submodule names which will cause
  11   Git to ignore these malicious names (CVE-2018-11235).
  12
  13   Credit for finding this vulnerability and the proof of concept from
  14   which the test script was adapted goes to Etienne Stalmans.
  15
  16 * It was possible to trick the code that sanity-checks paths on NTFS
  17   into reading random piece of memory (CVE-2018-11233).
  18
  19Credit for fixing for these bugs goes to Jeff King, Johannes
  20Schindelin and others.