What can I do to protect all my users from vulnerability to CVE-2014-9390 ?
Already suggested the users to update their git clients, what else can I do on the server-side ?
And I noticed that repos hosted on github
"cannot contain any of the malicious trees that trigger the vulnerability because we now verify and block these trees on push. We have also completed an automated scan of all existing content on
github.comto look for malicious content that might have been pushed to our site before this vulnerability was discovered. This work is an extension of the data-quality checks we have always performed on repositories pushed to our servers to protect our users against malformed or malicious Git data."
For the Stash side, foremost, upgrade the Git version on the server to a safe version. Once you've done that, you can enable exactly the same protections Github is enforcing with a couple new Git settings added with the fix:
git config --bool core.protectHFS true
git config --bool core.protectNTFS true
git config --bool receive.fsckObjects true
There are two ways to apply these settings to all of your Stash repositories:
To apply the settings to each repository, you could use (assuming you're running on Linux, and your current working directory is STASH_HOME/shared/data/repositories):
for repo in `ls`; do echo $repo; cd $repo; git config --bool core.protectHFS true; git config --bool core.protectNTFS true; git config --bool receive.fsckObjects true; cd ..; done
(Note that if you're running Stash 3.1 or older you'd run that same command in STASH_HOME/data/repositories, without "shared")
Further, just so you're aware, we're working on patch releases of Stash for 3.1 and higher that will automatically reconfigure all of your repositories this way, so you don't have to manually do this unless you're in a hurry to get your repositories locked down.
Note that applying these settings does nothing if you are not running a fixed version of Git on the server! With the settings applied, users who attempt to push exploit paths will see:
Aphrael:hfs-exploit bturner$ git push --all http://admin@localhost:7990/stash/scm/cve/9390-hfs-exploit.git
Password for 'http://admin@localhost:7990':
Counting objects: 8, done.
Delta compression using up to 8 threads.
Compressing objects: 100% (3/3), done.
Writing objects: 100% (8/8), 638 bytes | 0 bytes/s, done.
Total 8 (delta 0), reused 0 (delta 0)
remote: error: object 675271b397520010afaa76aa1a2e718aab02dd60:contains '.git'
remote: fatal: Error in object
error: unpack failed: unpack-objects abnormal exit
! [remote rejected] master -> master (unpacker error)
error: failed to push some refs to 'http://admin@localhost:7990/stash/scm/cve/9390-hfs-exploit.git'
Hope this helps,
As a project manager, I have discovered that different developers want to bring their previous branching method with them when they join the team. Some developers are used to performing individual wo...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs