Stefan Sperling is a user on You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.

@stsp If I have #Git for #Windows, do I have to uninstall it for the time being?

@zyabin101 No, just don't clone/pull any repositories you don't trust. And update ASAP when a fix becomes available.


> [...] [U]pdate ASAP when a fix becomes available.

Eh, I don't have a magical RSS reader that would ensure that I'm informed of the fix.

@zyabin101 I don't know how Git for Windows communicates release announcements to users. Sorry.

@zyabin101 Correction: This current release "v2.14.0 (August 6th 2017)" looks too old. Sorry, my bad. I hope they release another update soon.

@stsp Releases and

> Bug Fixes [...]
> * A malicious "ssh://..." URL could result in options passed to the
> `ssh` command, which is now prevented.

🤔 unsure is that the current fix or another ssh sec fix

@zyabin101 That description sounds very much like the same bug. Should be safe.

The problem has been known internally for several weeks. It was originally fixed in git-lfs on May 19:

It took a while for this to be noticed elsewhere. I don't know the exact timeline.
What I do know is that the project was first made aware of it on July 28 (via git developerJonathan Nieder).