Edward Thomson


I'm a Program Manager for version control in Microsoft Visual Studio Team Services and the co-maintainer of the libgit2 project, the Git repository management library that underpins tools like GitHub, Visual Studio and Xcode. I also develop version control tools and I also write and speak about Git and version control.

Now Available: Git for Visual Studio Training

Just released: professional training for using Git inside Visual Studio. This training provides an introduction to using the Git version control system, explain differences between Git and traditional, centralized version control, and provide advanced concepts like extending the Git functionality.

Start Learning for Free

Blog: Upgrading git for CVE 2017-1000117

August 14, 2017  •  12:11 PM

A security vulnerability in Git has been announced: a bug in URL parsing can cause git clone to execute arbitrary commands. These URLs look quite suspicious, so it's unlikely that you'd be convinced through social engineering to clone them yourself. But they can be hidden in repository submodules.

Unless you're a Continuous Integration build agent, I hope that it's quite uncommon that you git clone --recursive a repository that you do not trust. So this vulnerability is rather uncommon, but as with any security vulnerability that has the possibility of remote code execution, you should upgrade your Git clients immediately.

Git version 2.14.1 is the latest and greatest version of Git, and has been patched. But most people don't actually build from source, so your version of Git is probably provided to you by a distribution. You may have different versions available to you - ones that have had the patches applied by your vendor - so you may not be able to determine if you're vulnerable simply by looking at the version number.

Here's some simple steps to determine whether you're vulnerable and some upgrade instructions if you are.