SourceTree Update to Address GitHub Security Issue?

Given the GitHub security issue described on Slashdot today, is there an update to SourceTree? Does the issue matter to SourceTree? If not, why not?

7 answers

Hi all,

I've just deployed Mac 2.0.4 which has updated embedded version of Git and Mercurial to address CVE-2014-9390.

The Windows version will follow shortly and in the meantime you can use a system Git/Mercurial version.

EDIT: Windows version 1.6.12 [released] addresses CVE-2014-9390.

Update: please read the blog post for instructions to update the embedded Git/Mercurial versions in SourceTree for Windows. https://blog.sourcetreeapp.com/2014/12/18/atlassian-update-for-git-and-mercurial-vulnerability/

Cheers

You're just great! Enjoy the holiday season...

Thanks. BTW, I got this message when trying to update from within SourceTree itself: 'git log' failed with code -1:'launch path not accessible ' (complete with the new line before the last single quote)

This looks like a Mac issue, presumably, based on the output. It means that Git can't be found, so it's trying to execute something that's not there. Check your preferences again to ensure you're using embedded Git or a system Git version which is accessible.

There is a Blog entry, stating to switch from embedded GIT to System GIT... However, neither for Mac nor for Windows there is an uptodate command line package available (see http://git-scm.com/download/mac and http://git-scm.com/download/mac).

One workaround I found, is to install the GitHub client (https://mac.github.com/, https://windows.github.com/) and let SourceTree use the git commandline from GitHub. But this does not work (error message: fatal: Unable to find remote helper for 'http'), or compile GIT from the sources.

Atlassian should come up asap with an update for SourceTree!

It may have changed in the last few hours, but git-scm.com/download/win has version 1.9.5, which is listed as one of the safe options.

Here are the instructions from Atlassian on how to update SourceTree to a safe version of Git: https://blog.sourcetreeapp.com/2014/12/18/atlassian-update-for-git-and-mercurial-vulnerability/

My experience on MAC was that when I told SourceTree to use System Git,  it offered to install "Apple Git".  I took that option, "Apple Git" installed itself,  and SourceTree since then has been pointing to that version of git, as shown below:

RdgJrMacBookPro:SourceTreeTest1 rdg$ cd /usr/bin

RdgJrMacBookPro:bin rdg$ ls -lsa git

8 -rwxr-xr-x  1 root  wheel  14160 Sep 26 22:06 git

RdgJrMacBookPro:bin rdg$ git --version

git version 1.9.3 (Apple Git-50)

RdgJrMacBookPro:bin rdg$ pwd

/usr/bin

RdgJrMacBookPro:bin rdg$ 


In the case of Win7,  I also run SourceTree on Win7 via bootcamp.  Over there, I had already installed git before I installed SourceTree.  I think it was "msysgit".  Anywhere, it was a simple matter of pointing SourceTree to the location of "git" in that prior installation, to use instead of SourceTree's internal git.

According to the blog post, you may still be vulnerable. The recommended 1.9.x release is 1.9.5, your Apple Git is 1.9.3.

Yes, I agree. I need to upgrade from 1.9.3 to 1.9.5. Thanks for pointing this out. My guess is that Atlassian will issue an update for SourceTree quickly that makes their internal version safe as well.

You could install latest git (2.2.1) with homebrew this way:

brew install git

And then simply point to /usr/local/bin/git as system git in SourceTree.

Maybe @Kieran Senior [Atlassian] can give us an idea when/if there will be an update to SourceTree's embedded git.

I've posted an answer on this thread, thanks for bringing this AAC Q to my attention.

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Published May 30, 2018 in Sourcetree

Tip from the team: configuring Git or Mercurial in Sourcetree

Supported Platforms macOS Windows To make using Sourcetree as simple yet powerful as possible we embed (bundle) dependencies such as Git, Git LFS, and Mercurial. We strive to keep these...

561 views 1 2
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you