Git Vulnerability and Update


#1

There is a vulnerability in git that the community is asking servers to block to prevent proliferation of malicious code: https://developer.atlassian.com/blog/2014/12/securing-your-git-server/

Can we please upgrade Git to 2.2.1+ on the share hosting servers?


#2

Yes, please. After being a DreamHost user for 8 years, I finally just now signed up for the forum specifically to come in here and ask for an upgrade to Git 2.2. On my shared hosting account we’re still at 1.7, which is pretty far behind.


#3

We are running the latest version of git available from Ubunu for the version of Ubuntu we are running. Ubuntu has backported a patch for this security issue into the older version, making it unnecessary to upgrade to a newer version to fix it. Building our own packages to get newer versions can be a lot of work, and generally we only do it if the version is super old or lacking important features.

Here is the ubuntu log for the git package:
http://changelogs.ubuntu.com/changelogs/pool/main/g/git/git_1.7.9.5-1ubuntu0.1/changelog
If you search it for CVE-2014-9390 you can see that it is fixed in the current version.