libgit2 v0.24.6

@carlosmn carlosmn released this Jan 9, 2017

This is a security release fixing two issues. The first one performs extra sanitization for some edge cases in the Git Smart Protocol which can lead to attempting to parse outside of the buffer.

The second fix affects the certificate check callback. It provides a valid parameter to indicate whether the native cryptographic library considered the certificate to be correct. This parameter is always 1/true before this fix leading to a possible MITM.

This does not affect you if you do not use the custom certificate callback or if you do not take this value into account. This does affect you if you use pygit2 or git2go regardless of whether you specify a certificate check callback.

A list of commits since the last release follows

45a2ee3f4 https: don't test that RC4 is invalid
d3cb8f64c http: correct the expected error for RC4
2b9298bfe Bump version to 0.24.6
84d30d569 smart_pkt: treat empty packet lines as error
4ac39c76c smart_pkt: verify packet length exceeds PKT_LEN_SIZE
ca5319566 http: perform 'badssl' check also via certificate callback
b5c6a1b40 http: check certificate validity before clobbering the error variable

Downloads