1 <?xml version=
"1.0" encoding=
"UTF-8"?>
2 <!DOCTYPE html PUBLIC
"-//W3C//DTD XHTML 1.1//EN"
3 "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
4 <html xmlns=
"http://www.w3.org/1999/xhtml" xml:
lang=
"en">
6 <meta http-equiv=
"Content-Type" content=
"application/xhtml+xml; charset=UTF-8" />
7 <meta name=
"generator" content=
"AsciiDoc 10.2.0" />
9 <style type=
"text/css">
10 /* Shared CSS for AsciiDoc xhtml11 and html5 backends */
14 font-family: Georgia,serif;
18 h1, h2, h3, h4, h5, h6,
19 div.title, caption.title,
20 thead, p.table.header,
22 #author, #revnumber, #revdate, #revremark,
24 font-family: Arial,Helvetica,sans-serif;
28 margin:
1em
5%
1em
5%;
33 text-decoration: underline;
49 h1, h2, h3, h4, h5, h6 {
57 border-bottom:
2px solid silver;
77 border:
1px solid silver;
88 ul
> li { color: #aaa; }
89 ul
> li
> * { color: black; }
91 .monospaced, code, pre {
92 font-family:
"Courier New", Courier, monospace;
99 white-space: pre-wrap;
109 #revnumber, #revdate, #revremark {
114 border-top:
2px solid silver;
120 padding-bottom:
0.5em;
124 padding-bottom:
0.5em;
129 margin-bottom:
1.5em;
131 div.imageblock, div.exampleblock, div.verseblock,
132 div.quoteblock, div.literalblock, div.listingblock, div.sidebarblock,
133 div.admonitionblock {
135 margin-bottom:
1.5em;
137 div.admonitionblock {
139 margin-bottom:
2.0em;
144 div.content { /* Block element content. */
148 /* Block element titles. */
149 div.title, caption.title {
154 margin-bottom:
0.5em;
160 td div.title:first-child {
163 div.content div.title:first-child {
166 div.content + div.title {
170 div.sidebarblock
> div.content {
172 border:
1px solid #dddddd;
173 border-left:
4px solid #f0f0f0;
177 div.listingblock
> div.content {
178 border:
1px solid #dddddd;
179 border-left:
5px solid #f0f0f0;
184 div.quoteblock, div.verseblock {
188 border-left:
5px solid #f0f0f0;
192 div.quoteblock
> div.attribution {
197 div.verseblock
> pre.content {
198 font-family: inherit;
201 div.verseblock
> div.attribution {
205 /* DEPRECATED: Pre version
8.2.7 verse style literal block. */
206 div.verseblock + div.attribution {
210 div.admonitionblock .icon {
214 text-decoration: underline;
216 padding-right:
0.5em;
218 div.admonitionblock td.content {
220 border-left:
3px solid #dddddd;
223 div.exampleblock
> div.content {
224 border-left:
3px solid #dddddd;
228 div.imageblock div.content { padding-left:
0; }
229 span.image img { border-style: none; vertical-align: text-bottom; }
230 a.image:visited { color: white; }
234 margin-bottom:
0.8em;
247 list-style-position: outside;
250 list-style-type: decimal;
253 list-style-type: lower-alpha;
256 list-style-type: upper-alpha;
259 list-style-type: lower-roman;
262 list-style-type: upper-roman;
265 div.compact ul, div.compact ol,
266 div.compact p, div.compact p,
267 div.compact div, div.compact div {
269 margin-bottom:
0.1em;
281 margin-bottom:
0.8em;
284 padding-bottom:
15px;
286 dt.hdlist1.strong, td.hdlist1.strong {
292 padding-right:
0.8em;
298 div.hdlist.compact tr {
307 .footnote, .footnoteref {
311 span.footnote, span.footnoteref {
312 vertical-align: super;
316 margin:
20px
0 20px
0;
320 #footnotes div.footnote {
326 border-top:
1px solid silver;
335 padding-right:
0.5em;
336 padding-bottom:
0.3em;
344 #footer-badges { display: none; }
348 margin-bottom:
2.5em;
356 margin-bottom:
0.1em;
359 div.toclevel0, div.toclevel1, div.toclevel2, div.toclevel3, div.toclevel4 {
376 span.aqua { color: aqua; }
377 span.black { color: black; }
378 span.blue { color: blue; }
379 span.fuchsia { color: fuchsia; }
380 span.gray { color: gray; }
381 span.green { color: green; }
382 span.lime { color: lime; }
383 span.maroon { color: maroon; }
384 span.navy { color: navy; }
385 span.olive { color: olive; }
386 span.purple { color: purple; }
387 span.red { color: red; }
388 span.silver { color: silver; }
389 span.teal { color: teal; }
390 span.white { color: white; }
391 span.yellow { color: yellow; }
393 span.aqua-background { background: aqua; }
394 span.black-background { background: black; }
395 span.blue-background { background: blue; }
396 span.fuchsia-background { background: fuchsia; }
397 span.gray-background { background: gray; }
398 span.green-background { background: green; }
399 span.lime-background { background: lime; }
400 span.maroon-background { background: maroon; }
401 span.navy-background { background: navy; }
402 span.olive-background { background: olive; }
403 span.purple-background { background: purple; }
404 span.red-background { background: red; }
405 span.silver-background { background: silver; }
406 span.teal-background { background: teal; }
407 span.white-background { background: white; }
408 span.yellow-background { background: yellow; }
410 span.big { font-size:
2em; }
411 span.small { font-size:
0.6em; }
413 span.underline { text-decoration: underline; }
414 span.overline { text-decoration: overline; }
415 span.line-through { text-decoration: line-through; }
417 div.unbreakable { page-break-inside: avoid; }
427 margin-bottom:
1.5em;
429 div.tableblock
> table {
430 border:
3px solid #
527bbd;
432 thead, p.table.header {
439 /* Because the table frame attribute is overridden by CSS in most browsers. */
440 div.tableblock
> table[
frame=
"void"] {
443 div.tableblock
> table[
frame=
"hsides"] {
444 border-left-style: none;
445 border-right-style: none;
447 div.tableblock
> table[
frame=
"vsides"] {
448 border-top-style: none;
449 border-bottom-style: none;
460 margin-bottom:
1.5em;
462 thead, p.tableblock.header {
473 border-color: #
527bbd;
474 border-collapse: collapse;
476 th.tableblock, td.tableblock {
480 border-color: #
527bbd;
483 table.tableblock.frame-topbot {
484 border-left-style: hidden;
485 border-right-style: hidden;
487 table.tableblock.frame-sides {
488 border-top-style: hidden;
489 border-bottom-style: hidden;
491 table.tableblock.frame-none {
492 border-style: hidden;
495 th.tableblock.halign-left, td.tableblock.halign-left {
498 th.tableblock.halign-center, td.tableblock.halign-center {
501 th.tableblock.halign-right, td.tableblock.halign-right {
505 th.tableblock.valign-top, td.tableblock.valign-top {
508 th.tableblock.valign-middle, td.tableblock.valign-middle {
509 vertical-align: middle;
511 th.tableblock.valign-bottom, td.tableblock.valign-bottom {
512 vertical-align: bottom;
523 padding-bottom:
0.5em;
524 border-top:
2px solid silver;
525 border-bottom:
2px solid silver;
530 body.manpage div.sectionbody {
535 body.manpage div#toc { display: none; }
540 <script type=
"text/javascript">
542 var asciidoc = { // Namespace.
544 /////////////////////////////////////////////////////////////////////
545 // Table Of Contents generator
546 /////////////////////////////////////////////////////////////////////
548 /* Author: Mihai Bazon, September
2002
549 * http://students.infoiasi.ro/~mishoo
551 * Table Of Content generator
554 * Feel free to use this script under the terms of the GNU General Public
555 * License, as long as you do not remove or alter this notice.
558 /* modified by Troy D. Hanson, September
2006. License: GPL */
559 /* modified by Stuart Rackham,
2006,
2009. License: GPL */
562 toc: function (toclevels) {
564 function getText(el) {
566 for (var i = el.firstChild; i != null; i = i.nextSibling) {
567 if (i.nodeType ==
3 /* Node.TEXT_NODE */) // IE doesn't speak constants.
569 else if (i.firstChild != null)
575 function TocEntry(el, text, toclevel) {
578 this.toclevel = toclevel;
581 function tocEntries(el, toclevels) {
582 var result = new Array;
583 var re = new RegExp('[hH]([
1-'+(toclevels+
1)+'])');
584 // Function that scans the DOM tree for header elements (the DOM2
585 // nodeIterator API would be a better technique but not supported by all
587 var iterate = function (el) {
588 for (var i = el.firstChild; i != null; i = i.nextSibling) {
589 if (i.nodeType ==
1 /* Node.ELEMENT_NODE */) {
590 var mo = re.exec(i.tagName);
591 if (mo && (i.getAttribute(
"class") || i.getAttribute(
"className")) !=
"float") {
592 result[result.length] = new TocEntry(i, getText(i), mo[
1]-
1);
602 var toc = document.getElementById(
"toc");
607 // Delete existing TOC entries in case we're reloading the TOC.
608 var tocEntriesToRemove = [];
610 for (i =
0; i < toc.childNodes.length; i++) {
611 var entry = toc.childNodes[i];
612 if (entry.nodeName.toLowerCase() == 'div'
613 && entry.getAttribute(
"class")
614 && entry.getAttribute(
"class").match(/^toclevel/))
615 tocEntriesToRemove.push(entry);
617 for (i =
0; i < tocEntriesToRemove.length; i++) {
618 toc.removeChild(tocEntriesToRemove[i]);
621 // Rebuild TOC entries.
622 var entries = tocEntries(document.getElementById(
"content"), toclevels);
623 for (var i =
0; i < entries.length; ++i) {
624 var entry = entries[i];
625 if (entry.element.id ==
"")
626 entry.element.id =
"_toc_" + i;
627 var a = document.createElement(
"a");
628 a.href =
"#" + entry.element.id;
629 a.appendChild(document.createTextNode(entry.text));
630 var div = document.createElement(
"div");
632 div.className =
"toclevel" + entry.toclevel;
633 toc.appendChild(div);
635 if (entries.length ==
0)
636 toc.parentNode.removeChild(toc);
640 /////////////////////////////////////////////////////////////////////
641 // Footnotes generator
642 /////////////////////////////////////////////////////////////////////
644 /* Based on footnote generation code from:
645 * http://www.brandspankingnew.net/archive/
2005/
07/format_footnote.html
648 footnotes: function () {
649 // Delete existing footnote entries in case we're reloading the footnodes.
651 var noteholder = document.getElementById(
"footnotes");
655 var entriesToRemove = [];
656 for (i =
0; i < noteholder.childNodes.length; i++) {
657 var entry = noteholder.childNodes[i];
658 if (entry.nodeName.toLowerCase() == 'div' && entry.getAttribute(
"class") ==
"footnote")
659 entriesToRemove.push(entry);
661 for (i =
0; i < entriesToRemove.length; i++) {
662 noteholder.removeChild(entriesToRemove[i]);
665 // Rebuild footnote entries.
666 var cont = document.getElementById(
"content");
667 var spans = cont.getElementsByTagName(
"span");
670 for (i=
0; i
<spans.length; i++) {
671 if (spans[i].className ==
"footnote") {
673 var note = spans[i].getAttribute(
"data-note");
675 // Use [\s\S] in place of . so multi-line matches work.
676 // Because JavaScript has no s (dotall) regex flag.
677 note = spans[i].innerHTML.match(/\s*\[([\s\S]*)]\s*/)[
1];
679 "[<a id='_footnoteref_" + n +
"' href='#_footnote_" + n +
680 "' title='View footnote' class='footnote'>" + n +
"</a>]";
681 spans[i].setAttribute(
"data-note", note);
683 noteholder.innerHTML +=
684 "<div class='footnote' id='_footnote_" + n +
"'>" +
685 "<a href='#_footnoteref_" + n +
"' title='Return to text'>" +
686 n +
"</a>. " + note +
"</div>";
687 var id =spans[i].getAttribute(
"id");
688 if (id != null) refs[
"#"+id] = n;
692 noteholder.parentNode.removeChild(noteholder);
694 // Process footnoterefs.
695 for (i=
0; i
<spans.length; i++) {
696 if (spans[i].className ==
"footnoteref") {
697 var href = spans[i].getElementsByTagName(
"a")[
0].getAttribute(
"href");
698 href = href.match(/#.*/)[
0]; // Because IE return full URL.
701 "[<a href='#_footnote_" + n +
702 "' title='View footnote' class='footnote'>" + n +
"</a>]";
708 install: function(toclevels) {
711 function reinstall() {
712 asciidoc.footnotes();
714 asciidoc.toc(toclevels);
718 function reinstallAndRemoveTimer() {
719 clearInterval(timerId);
723 timerId = setInterval(reinstall,
500);
724 if (document.addEventListener)
725 document.addEventListener(
"DOMContentLoaded", reinstallAndRemoveTimer, false);
727 window.onload = reinstallAndRemoveTimer;
735 <body class=
"article">
740 <h2 id=
"_how_we_coordinate_embargoed_releases">How we coordinate embargoed releases
</h2>
741 <div class=
"sectionbody">
742 <div class=
"paragraph"><p>To protect Git users from critical vulnerabilities, we do not just release
743 fixed versions like regular maintenance releases. Instead, we coordinate
744 releases with packagers, keeping the fixes under an embargo until the release
745 date. That way, users will have a chance to upgrade on that date, no matter
746 what Operating System or distribution they run.
</p></div>
750 <h2 id=
"_the_code_git_security_code_mailing_list">The
<code>git-security
</code> mailing list
</h2>
751 <div class=
"sectionbody">
752 <div class=
"paragraph"><p>Responsible disclosures of vulnerabilities, analysis, proposed fixes as
753 well as the orchestration of coordinated embargoed releases all happen on the
754 <code>git-security
</code> mailing list at
<<a href=
"mailto:git-security@googlegroups.com">git-security@googlegroups.com
</a>>.
</p></div>
755 <div class=
"paragraph"><p>In this context, the term
"embargo" refers to the time period that information
756 about a vulnerability is kept under wraps and only shared on a need-to-know
757 basis. This is necessary to protect Git
’s users from bad actors who would
758 otherwise be made aware of attack vectors that could be exploited.
"Lifting the
759 embargo" refers to publishing the version that fixes the vulnerabilities.
</p></div>
761 <h3 id=
"_audience_of_the_code_git_security_code_mailing_list">Audience of the
<code>git-security
</code> mailing list
</h3>
762 <div class=
"paragraph"><p>Anybody may contact the
<code>git-security
</code> mailing list by sending an email
763 to
<<a href=
"mailto:git-security@googlegroups.com">git-security@googlegroups.com
</a>>, though the archive is closed to the
764 public and only accessible to subscribed members.
</p></div>
765 <div class=
"paragraph"><p>There are a few dozen subscribed members: core Git developers who are trusted
766 with addressing vulnerabilities, and stakeholders (i.e. owners of products
767 affected by security vulnerabilities in Git).
</p></div>
768 <div class=
"paragraph"><p>Most of the discussions revolve around assessing the severity of the reported
769 issue (including the decision whether the report is security-relevant or can be
770 redirected to the public mailing list), how to remediate the issue, determining
771 the timeline of the disclosure as well as aligning priorities and
772 requirements.
</p></div>
775 <h3 id=
"_communications">Communications
</h3>
776 <div class=
"paragraph"><p>If you are a stakeholder, it is a good idea to pay close attention to the
777 discussions, as pertinent information may be buried in the middle of a lively
778 conversation that might not look relevant to your interests. For example, the
779 tentative timeline might be agreed upon in the middle of discussing code
780 comment formatting in one of the patches and whether or not to combine fixes
781 for multiple, separate vulnerabilities into the same embargoed release. Most
782 mail threads are not usually structured specifically to communicate
783 agreements, assessments or timelines.
</p></div>
788 <h2 id=
"_typical_timeline">Typical timeline
</h2>
789 <div class=
"sectionbody">
790 <div class=
"ulist"><ul>
793 A potential vulnerability is reported to the
<code>git-security
</code> mailing list.
798 The members of the git-security list start a discussion to give an initial
799 assessment of the severity of the reported potential vulnerability.
800 We aspire to do so within a few days.
805 After discussion, if consensus is reached that it is not critical enough
806 to warrant any embargo, the reporter is redirected to the public Git mailing
807 list. This ends the reporter
’s interaction with the
<code>git-security
</code> list.
812 If it is deemed critical enough for an embargo, ideas are presented on how to
813 address the vulnerability.
818 Usually around that time, the Git maintainer or their delegate(s) open a draft
819 security advisory in the
<code>git/git
</code> repository on GitHub (see below for more
825 Code review can take place in a variety of different locations,
826 depending on context. These are: patches sent inline on the git-security list,
827 a private fork on GitHub associated with the draft security advisory, or the
828 git/cabal repository.
833 Contributors working on a fix should consider beginning by sending
834 patches to the git-security list (inline with the original thread), since they
835 are accessible to all subscribers, along with the original reporter.
840 Once the review has settled and everyone involved in the review agrees that
841 the patches are nearing the finish line, the Git maintainer, and others
842 determine a release date as well as the release trains that are serviced. The
843 decision regarding which versions need a backported fix is based on input from
844 the reporter, the contributor who worked on the patches, and from
845 stakeholders. Operators of hosting sites who may want to analyze whether the
846 given issue is exploited via any of the repositories they host, and binary
847 packagers who want to make sure their product gets patched adequately against
848 the vulnerability, for example, may want to give their input at this stage.
853 While the Git community does its best to accommodate the specific timeline
854 requests of the various binary packagers, the nature of the issue may preclude
855 a prolonged release schedule. For fixes deemed urgent, it may be in the best
856 interest of the Git users community to shorten the disclosure and release
857 timeline, and packagers may need to adapt accordingly.
862 Subsequently, branches with the fixes are pushed to the git/cabal repository.
867 The tags are created by the Git maintainer and pushed to the same repository.
872 The Git for Windows, Git for macOS, BSD, Debian, etc. maintainers prepare the
873 corresponding release artifacts, based on the tags created that have been
874 prepared by the Git maintainer.
879 The release artifacts prepared by various binary packagers can be
880 made available to stakeholders under embargo via a mail to the
881 <code>git-security
</code> list.
886 Less than a week before the release, a mail with the relevant information is
887 sent to
<<a href=
"mailto:distros@vs.openwall.org">distros@vs.openwall.org
</a>> (see below), a list used to pre-announce
888 embargoed releases of open source projects to the stakeholders of all major
889 distributions of Linux as well as other OSes.
894 Public communication is then prepared in advance of the release date. This
895 includes blog posts and mails to the Git and Git for Windows mailing lists.
900 On the day of the release, at around
10am Pacific Time, the Git maintainer
901 pushes the tag and the
<code>master
</code> branch to the public repository, then sends
902 out an announcement mail.
907 Once the tag is pushed, the Git for Windows maintainer publishes the
908 corresponding tag and creates a GitHub Release with the associated release
909 artifacts (Git for Windows installer, Portable Git, MinGit, etc).
914 Git for Windows release is then announced via a mail to the public Git and
915 Git for Windows mailing lists as well as via a tweet.
920 Ditto for distribution packagers for Linux and other platforms:
921 their releases are announced via their preferred channels.
926 A mail to
<<a href=
"mailto:oss-security@lists.openwall.org">oss-security@lists.openwall.org
</a>> (see below for details) is sent
927 as a follow-up to the
<<a href=
"mailto:distros@vs.openwall.org">distros@vs.openwall.org
</a>> one, describing the
928 vulnerability in detail, often including a proof of concept of an exploit.
932 <div class=
"paragraph"><p>Note: The Git project makes no guarantees about timelines, but aims to keep
933 embargoes reasonably short in the interest of keeping Git
’s users safe.
</p></div>
935 <h3 id=
"_opening_a_security_advisory_draft">Opening a Security Advisory draft
</h3>
936 <div class=
"paragraph"><p>The first step is to
<a href=
"https://github.com/git/git/security/advisories/new">open
937 an advisory
</a>. Technically, this is not necessary. However, it is the most
938 convenient way to obtain the CVE number and it gives us a private repository
939 associated with it that can be used to collaborate on a fix.
</p></div>
942 <h3 id=
"_notifying_the_linux_distributions">Notifying the Linux distributions
</h3>
943 <div class=
"paragraph"><p>At most two weeks before release date, we need to send a notification to
944 <<a href=
"mailto:distros@vs.openwall.org">distros@vs.openwall.org
</a>>, preferably less than
7 days before the release date.
945 This will reach most (all?) Linux distributions. See an example below, and the
946 guidelines for this mailing list at
947 <a href=
"https://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists">here
</a>.
</p></div>
948 <div class=
"paragraph"><p>Once the version has been published, we send a note about that to oss-security.
949 As an example, see
<a href=
"https://www.openwall.com/lists/oss-security/2019/12/13/1">the
951 <a href=
"https://oss-security.openwall.org/wiki/mailing-lists/oss-security">Here
</a> are
952 their guidelines.
</p></div>
953 <div class=
"paragraph"><p>The mail to oss-security should also describe the exploit, and give credit to
954 the reporter(s): security researchers still receive too little respect for the
955 invaluable service they provide, and public credit goes a long way to keep them
956 paid by their respective organizations.
</p></div>
957 <div class=
"paragraph"><p>Technically, describing any exploit can be delayed up to
7 days, but we usually
958 refrain from doing that, including it right away.
</p></div>
959 <div class=
"paragraph"><p>As a courtesy we typically attach a Git bundle (as
<code>.tar.xz
</code> because the list
960 will drop
<code>.bundle
</code> attachments) in the mail to distros@ so that the involved
961 parties can take care of integrating/backporting them. This bundle is typically
962 created using a command like this:
</p></div>
963 <div class=
"literalblock">
964 <div class=
"content">
965 <pre><code>git bundle create cve-xxx.bundle ^origin/master vA.B.C vD.E.F
966 tar cJvf cve-xxx.bundle.tar.xz cve-xxx.bundle
</code></pre>
970 <h3 id=
"_example_mail_to_a_href_mailto_distros_vs_openwall_org_distros_vs_openwall_org_a">Example mail to
<a href=
"mailto:distros@vs.openwall.org">distros@vs.openwall.org
</a></h3>
971 <div class=
"literalblock">
972 <div class=
"content">
973 <pre><code>To: distros@vs.openwall.org
974 Cc: git-security@googlegroups.com,
<other people involved in the report/fix
>
975 Subject: [vs] Upcoming Git security fix release
979 The Git project will release new versions on
<date
> at
10am Pacific Time or
980 soon thereafter. I have attached a Git bundle (embedded in a `.tar.xz` to avoid
981 it being dropped) which you can fetch into a clone of
982 https://github.com/git/git via `git fetch --tags /path/to/cve-xxx.bundle`,
983 containing the tags for versions
<versions
>.
985 You can verify with `git tag -v
<tag
>` that the versions were signed by
986 the Git maintainer, using the same GPG key as e.g. v2.24
.0.
988 Please use these tags to prepare `git` packages for your various
989 distributions, using the appropriate tagged versions. The added test cases
990 help verify the correctness.
992 The addressed issues are:
994 <list of CVEs with a short description, typically copy/pasted from Git's
995 release notes, usually demo exploit(s), too
>
997 Credit for finding the vulnerability goes to
<reporter
>, credit for fixing
998 it goes to
<developer
>.
1001 <name
></code></pre>
1005 <h3 id=
"_example_mail_to_a_href_mailto_oss_security_lists_openwall_com_oss_security_lists_openwall_com_a">Example mail to
<a href=
"mailto:oss-security@lists.openwall.com">oss-security@lists.openwall.com
</a></h3>
1006 <div class=
"literalblock">
1007 <div class=
"content">
1008 <pre><code>To: oss-security@lists.openwall.com
1009 Cc: git-security@googlegroups.com,
<other people involved in the report/fix
>
1010 Subject: git:
<copy from security advisory
>
1014 The Git project released new versions on
<date
>, addressing
<CVE
>.
1016 All supported platforms are affected in one way or another, and all Git
1017 versions all the way back to
<version
> are affected. The fixed versions are:
1020 Link to the announcement:
<link to lore.kernel.org/git
>
1022 We highly recommend to upgrade.
1024 The addressed issues are:
1025 *
<list of CVEs and their explanations, along with demo exploits
>
1027 Credit for finding the vulnerability goes to
<reporter
>, credit for fixing
1028 it goes to
<developer
>.
1031 <name
></code></pre>
1037 <div id=
"footnotes"><hr /></div>
1039 <div id=
"footer-text">
1041 2024-
04-
23 16:
11:
14 PDT