1Git v2.14.5 Release Notes 2========================= 3 4This release is to address the recently reported CVE-2018-17456. 5 6Fixes since v2.14.4 7------------------- 8 9 * Submodules' "URL"s come from the untrusted .gitmodules file, but 10 we blindly gave it to "git clone" to clone submodules when "git 11 clone --recurse-submodules" was used to clone a project that has 12 such a submodule. The code has been hardened to reject such 13 malformed URLs (e.g. one that begins with a dash). 14 15Credit for finding and fixing this vulnerability goes to joernchen 16and Jeff King, respectively.