1Git v2.13.7 Release Notes 2========================= 3 4Fixes since v2.13.6 5------------------- 6 7 * Submodule "names" come from the untrusted .gitmodules file, but we 8 blindly append them to $GIT_DIR/modules to create our on-disk repo 9 paths. This means you can do bad things by putting "../" into the 10 name. We now enforce some rules for submodule names which will cause 11 Git to ignore these malicious names (CVE-2018-11235). 12 13 Credit for finding this vulnerability and the proof of concept from 14 which the test script was adapted goes to Etienne Stalmans. 15 16 * It was possible to trick the code that sanity-checks paths on NTFS 17 into reading random piece of memory (CVE-2018-11233). 18 19Credit for fixing for these bugs goes to Jeff King, Johannes 20Schindelin and others.