Security is one of the core values of RhodeCode. As soon as we got to know about security flaw in Git, we prepared an off-cycle, security-fix release of RhodeCode 3.8.2 and RhodeCode 3.8.3.
It fixes a serious remote code execution vulnerability in Git and we strongly recommend to update your RhodeCode instance to the latest version.
Type rccontrol self-update && rccontrol upgrade ‘*’ in the command line interface.
An issue in older versions of Git (prior to Git 2.7.4) makes systems vulnerable to the server and client side remote code execution. In short, a buffer overflow in Git allows for remote code execution (both server- and client-side). The bug affects Git versions prior to 2.7.4, you can read more about it in the mailing list of the Open Source Security group.
The issue provides significant level of risk, therefore, we recommend users to update their RhodeCode instance to version 3.8.3. As with other releases, you can do so by typing
rccontrol self-update && rccontrol upgrade ‘*’ in the command line interface.
Read the update documentation for more guidance.
We also advise to update your systems and tools to the latest Git version (2.7.4 at the moment of writing).
Yours securely,
RhodeCode team.