Git 2.7.6

Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/Documentation/RelNotes/2.7.6.txt b/Documentation/RelNotes/2.7.6.txt
new file mode 100644 (file)
index 0000000..4c6d1dc
--- /dev/null
+++ b/Documentation/RelNotes/2.7.6.txt
@@ -0,0 +1,25 @@
+Git v2.7.6 Release Notes
+========================
+
+Fixes since v2.7.5
+------------------
+
+ * A "ssh://..." URL can result in a "ssh" command line with a
+   hostname that begins with a dash "-", which would cause the "ssh"
+   command to instead (mis)treat it as an option.  This is now
+   prevented by forbidding such a hostname (which will not be
+   necessary in the real world).
+
+ * Similarly, when GIT_PROXY_COMMAND is configured, the command is
+   run with host and port that are parsed out from "ssh://..." URL;
+   a poorly written GIT_PROXY_COMMAND could be tricked into treating
+   a string that begins with a dash "-".  This is now prevented by
+   forbidding such a hostname and port number (again, which will not
+   be necessary in the real world).
+
+ * In the same spirit, a repository name that begins with a dash "-"
+   is also forbidden now.
+
+Credits go to Brian Neel at GitLab, Joern Schneeweisz of Recurity
+Labs and Jeff King at GitHub.
+

diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN
index c80681ef00c09201827784e8e204a9a1e9261a76..2c156bce82b7ced133affc87893e066c0492e7e0 100755 (executable)
--- a/GIT-VERSION-GEN
+++ b/GIT-VERSION-GEN
@@ -1,7 +1,7 @@
 #!/bin/sh
 
 GVF=GIT-VERSION-FILE
-DEF_VER=v2.7.5
+DEF_VER=v2.7.6
 
 LF='
 '

diff --git a/RelNotes b/RelNotes
index 1609b5af0dc71f914370c25233f94fc2748ec9d9..a256349b9df1b9cb8f8ae1b5c29e93cb58065a78 120000 (symlink)
--- a/RelNotes
+++ b/RelNotes
@@ -1 +1 @@
-Documentation/RelNotes/2.7.5.txt
\ No newline at end of file
+Documentation/RelNotes/2.7.6.txt
\ No newline at end of file