diff options
| author | Joey Hess <joeyh@joeyh.name> | 2018-06-21 13:34:11 -0400 |
|---|---|---|
| committer | Joey Hess <joeyh@joeyh.name> | 2018-06-21 13:37:01 -0400 |
| commit | b657242f5d946efae4cc77e8aef95dd2a306cd6b (patch) | |
| tree | 3ce1adc18e7d4954b163cde419efcdf592fe06dc /CHANGELOG | |
| parent | c981683f77253b2fa4e3f85d5593e6b1944d7746 (diff) | |
enforce retrievalSecurityPolicy
Leveraged the existing verification code by making it also check the
retrievalSecurityPolicy.
Also, prevented getViaTmp from running the download action at all when the
retrievalSecurityPolicy is going to prevent verifying and so storing it.
Added annex.security.allow-unverified-downloads. A per-remote version
would be nice to have too, but would need more plumbing, so KISS.
(Bill the Cat reference not too over the top I hope. The point is to
make this something the user reads the documentation for before using.)
A few calls to verifyKeyContent and getViaTmp, that don't
involve downloads from remotes, have RetrievalAllKeysSecure hard-coded.
It was also hard-coded for P2P.Annex and Command.RecvKey,
to match the values of the corresponding remotes.
A few things use retrieveKeyFile/retrieveKeyFileCheap without going
through getViaTmp.
* Command.Fsck when downloading content from a remote to verify it.
That content does not get into the annex, so this is ok.
* Command.AddUrl when using a remote to download an url; this is new
content being added, so this is ok.
This commit was sponsored by Fernando Jimenez on Patreon.
Diffstat (limited to 'CHANGELOG')
| -rw-r--r-- | CHANGELOG | 15 |
1 files changed, 12 insertions, 3 deletions
@@ -1,10 +1,19 @@ git-annex (6.20180622) upstream; urgency=high - Security fix release for CVE-2018-10857 - + Security fix release for CVE-2018-10857 and CVE-2018-10859 + + * Refuse to download content, that cannot be verified with a hash, + from encrypted special remotes (for CVE-2018-10859), + and from all external special remotes (for CVE-2018-10857). + In particular, URL and WORM keys stored on such remotes won't + be downloaded. If this affects your files, you can run + `git-annex migrate` on the affected files, to convert them + to use a hash. + * Added annex.security.allow-unverified-downloads, which can override + the above. * Added annex.security.allowed-url-schemes setting, which defaults to only allowing http, https, and ftp URLs. Note especially that file:/ - is no longer enabled by default. This is a security fix. + is no longer enabled by default. * Removed annex.web-download-command, since its interface does not allow supporting annex.security.allowed-url-schemes across redirects. If you used this setting, you may want to instead use annex.web-options |