Stefan Sperling is a user on mastodon.social. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.

@jond The link to the advisory works for me. Maybe wait a while, you might be redirected to a different www mirror.

Here is an alternative link to the corresponding news item on the SVN home page. Try to follow links from there:
subversion.apache.org/news.htm

@stsp Okay. Thanks. I'm seeing an entirely different mirror here. The news page doesn't even have an entry for today yet. Le sigh. mastodon.social/media/Pe_I27X4

@stsp INSTALL GIT FOR WINDOWS OVER THE CURRENT INSTALL!

> [ANNOUNCE] Git v2.14.1, v2.13.5, and others

OH [content deleted], THEY DIDN'T RELEASE THE NEW GIT FOR WINDOWS YET!

They are as operative as they are, last commit 3 days ago and 25 commits left. DansGame

@stsp If I have #Git for #Windows, do I have to uninstall it for the time being?

@zyabin101 No, just don't clone/pull any repositories you don't trust. And update ASAP when a fix becomes available.

@stsp

> [...] [U]pdate ASAP when a fix becomes available.

Eh, I don't have a magical RSS reader that would ensure that I'm informed of the fix.

@zyabin101 I don't know how Git for Windows communicates release announcements to users. Sorry.

@zyabin101 Correction: This current release "v2.14.0 (August 6th 2017)" looks too old. Sorry, my bad. I hope they release another update soon.

@stsp Releases v2.13.1.windows.3 and v2.12.2.windows.3:

> Bug Fixes [...]
> * A malicious "ssh://..." URL could result in options passed to the
> `ssh` command, which is now prevented.

🤔 unsure is that the current fix or another ssh sec fix

@zyabin101 That description sounds very much like the same bug. Should be safe.

The problem has been known internally for several weeks. It was originally fixed in git-lfs on May 19:
github.com/git-lfs/git-lfs/com
bounty.github.com/researchers/

It took a while for this to be noticed elsewhere. I don't know the exact timeline.
What I do know is that the project was first made aware of it on July 28 (via git developerJonathan Nieder).

@stsp looks like they all got updated in Debian Sid right now.