libgit2 v0.25.1

@carlosmn carlosmn released this Jan 9, 2017

This is a security release fixing two issues. The first one performs extra sanitization for some edge cases in the Git Smart Protocol which can lead to attempting to parse outside of the buffer.

The second fix affects the certificate check callback. It provides a valid parameter to indicate whether the native cryptographic library considered the certificate to be correct. This parameter is always 1/true before this fix leading to a possible MITM.

This does not affect you if you do not use the custom certificate callback or if you do not take this value into account. This does affect you if you use pygit2 or git2go regardless of whether you specify a certificate check callback.

A list of commits since the last release follows

2ac57aa89 https: don't test that RC4 is invalid
3829ba2e7 http: correct the expected error for RC4
a5cf255b4 Bump version to 0.25.1
2fdef641f smart_pkt: treat empty packet lines as error
66e3774d2 smart_pkt: verify packet length exceeds PKT_LEN_SIZE
98d66240e http: perform 'badssl' check also via certificate callback
9a64e62f0 http: check certificate validity before clobbering the error variable

Downloads