Just a heads up: On March 24, 2025, starting at 4:30pm CDT / 19:30 UTC, the site will be undergoing scheduled maintenance for a few hours. During this time, the site might be unavailable for a short while. Thanks for your patience.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

SourceTree Update to Address GitHub Security Issue?

Frank Martinez2
Frank Martinez
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
December 18, 2014

Given the GitHub security issue described on Slashdot today, is there an update to SourceTree? Does the issue matter to SourceTree? If not, why not?

Answer
Watch
Like # people like this
1493 views

7 answers

3 votes
KieranA
KieranA
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 19, 2014

Hi all,

I've just deployed Mac 2.0.4 which has updated embedded version of Git and Mercurial to address CVE-2014-9390.

The Windows version will follow shortly and in the meantime you can use a system Git/Mercurial version.

EDIT: Windows version 1.6.12 [released] addresses CVE-2014-9390.

Update: please read the blog post for instructions to update the embedded Git/Mercurial versions in SourceTree for Windows. https://blog.sourcetreeapp.com/2014/12/18/atlassian-update-for-git-and-mercurial-vulnerability/

Cheers

View More Comments
Stephan Amann
Stephan Amann December 19, 2014

You're just great! Enjoy the holiday season...

Like
Frank Martinez2
Frank Martinez
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
December 19, 2014

Thanks. BTW, I got this message when trying to update from within SourceTree itself: 'git log' failed with code -1:'launch path not accessible ' (complete with the new line before the last single quote)

Like
KieranA
KieranA
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 19, 2014

This looks like a Mac issue, presumably, based on the output. It means that Git can't be found, so it's trying to execute something that's not there. Check your preferences again to ensure you're using embedded Git or a system Git version which is accessible.

Like
Reply
1 vote
Robert Glover
Robert Glover December 19, 2014

Here are the instructions from Atlassian on how to update SourceTree to a safe version of Git: https://blog.sourcetreeapp.com/2014/12/18/atlassian-update-for-git-and-mercurial-vulnerability/

Reply
1 vote
Stephan Amann
Stephan Amann December 18, 2014

There is a Blog entry, stating to switch from embedded GIT to System GIT... However, neither for Mac nor for Windows there is an uptodate command line package available (see http://git-scm.com/download/mac and http://git-scm.com/download/mac).

One workaround I found, is to install the GitHub client (https://mac.github.com/, https://windows.github.com/) and let SourceTree use the git commandline from GitHub. But this does not work (error message: fatal: Unable to find remote helper for 'http'), or compile GIT from the sources.

Atlassian should come up asap with an update for SourceTree!

View More Comments
Seth
Seth
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 19, 2014

It may have changed in the last few hours, but git-scm.com/download/win has version 1.9.5, which is listed as one of the safe options.

Like
Reply
0 votes
KieranA
KieranA
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 19, 2014

I've posted an answer on this thread, thanks for bringing this AAC Q to my attention.

Reply
0 votes
Seth
Seth
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 19, 2014

Maybe @Kieran Senior [Atlassian] can give us an idea when/if there will be an update to SourceTree's embedded git.

Reply
0 votes
Thomas Casteleyn
Thomas Casteleyn
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
December 19, 2014

You could install latest git (2.2.1) with homebrew this way:

brew install git

And then simply point to /usr/local/bin/git as system git in SourceTree.

Reply
0 votes
Robert Glover
Robert Glover December 19, 2014

My experience on MAC was that when I told SourceTree to use System Git,  it offered to install "Apple Git".  I took that option, "Apple Git" installed itself,  and SourceTree since then has been pointing to that version of git, as shown below:

RdgJrMacBookPro:SourceTreeTest1 rdg$ cd /usr/bin

RdgJrMacBookPro:bin rdg$ ls -lsa git

8 -rwxr-xr-x  1 root  wheel  14160 Sep 26 22:06 git

RdgJrMacBookPro:bin rdg$ git --version

git version 1.9.3 (Apple Git-50)

RdgJrMacBookPro:bin rdg$ pwd

/usr/bin

RdgJrMacBookPro:bin rdg$ 


In the case of Win7,  I also run SourceTree on Win7 via bootcamp.  Over there, I had already installed git before I installed SourceTree.  I think it was "msysgit".  Anywhere, it was a simple matter of pointing SourceTree to the location of "git" in that prior installation, to use instead of SourceTree's internal git.

View More Comments
Seth
Seth
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 19, 2014

According to the blog post, you may still be vulnerable. The recommended 1.9.x release is 1.9.5, your Apple Git is 1.9.3.

Like
Robert Glover
Robert Glover December 19, 2014

Yes, I agree. I need to upgrade from 1.9.3 to 1.9.5. Thanks for pointing this out. My guess is that Atlassian will issue an update for SourceTree quickly that makes their internal version safe as well.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Sourcetree
Sourcetree
TAGS
AUG Leaders

Atlassian Community Events

    See all events