The maintainers of the Git and Mercurial open source projects have identified a vulnerability in the Git and Mercurial clients for Macintosh and Windows operating systems that could allow critical files to be overwritten with unwanted files, including executables.
We recommend that all client users of Git and Mercurial, including Fisheye, Crucible, and Sourcetree users, update their Git client with one of the published Git maintenance releases (220.127.116.11, 1.9.5, 2.0.5, 2.1.4 and 2.2.1) or Mercurial client with the latest release.
While this is a client-side vulnerability, if you are using Atlassian Stash for Git hosting we also recommend upgrading the version of Git on your Stash server and optionally securing your server to prevent proliferation of repository commits that exploit the vulnerability.
Bamboo Server users should also update Git and Mercurial to a fixed version on the server and on the agents and make sure that they are using native Git as a capability instead of using the built-in Git support of Bamboo. All directories under xml-data/build-dir of your Bamboo home directory and agents should be deleted as well. Bamboo Cloud and Elastic Bamboo users with custom Windows AMIs should update Git and Mercurial on all your Windows AMIs. A new Windows stock image with an updated version of Git and Mercurial will be published soon for the customers using the default Windows AMI. All directories under xml-data/build-dir of your elastic agents should be deleted as well.
- Stash instructions
- Fisheye and Crucible instructions
- Sourcetree for Windows instructions
- Sourcetree for Mac instructions
Updated on December 23rd at 11:00 PST to include reference to Securing your Git server against CVE-2014-9390.