From: Alan W. I. <ir...@be...> - 2014-12-19 18:13:28
|
See <https://github.com/blog/1938-git-client-vulnerability-announced> for details from the github point of view, but I am pretty sure it is not that different from the SF point of view since this is a git client issue and not a git server issue. To me this vulnerability seems pretty low-risk for the PLplot git repository at SF since it requires an attacker (unless they already own the computer used by the PLplot core team member) to be able to first beat the SourceForge security that keeps anyone but the PLplot core team from pushing code to our SF repository. And "security by obscurity" is a huge factor as well. Nevertheless, if you are using a Mac OS X or Windows git client to access any git repository including the PLplot one, it does appear to be a good idea as a matter of due diligence to reinstall git as soon as the place where you downloaded your git client announces they have made a version available that fixes this vulnerability. Alan __________________________ Alan W. Irwin Astronomical research affiliation with Department of Physics and Astronomy, University of Victoria (astrowww.phys.uvic.ca). Programming affiliations with the FreeEOS equation-of-state implementation for stellar interiors (freeeos.sf.net); the Time Ephemerides project (timeephem.sf.net); PLplot scientific plotting software package (plplot.sf.net); the libLASi project (unifont.org/lasi); the Loads of Linux Links project (loll.sf.net); and the Linux Brochure Project (lbproject.sf.net). __________________________ Linux-powered Science __________________________ |