The Git project has disclosed CVE-2018-17456, a vulnerability in Git that can cause arbitrary code to be executed when a user clones a malicious repository. Git v2.19.1 has been released with a fix, along with backports in v2.14.5, v2.15.3, v2.16.5, v2.17.2, and v2.18.1. We encourage all users to update their clients to protect themselves.

Until you’ve updated, you can protect yourself by avoiding submodules from untrusted repositories. This includes commands such as git clone --recurse-submodules and git submodule update.

Affected products

GitHub Desktop

GitHub Desktop versions 1.4.1 and older included an embedded version of Git that was affected by this vulnerability. We encourage all GitHub Desktop users to update to the newest version (1.4.2 and 1.4.3-beta0) available today in the Desktop app.

Atom

Atom included the same embedded Git and was also affected. Releases 1.31.2 and 1.32.0-beta3 include the patch.

Ensure you’re on the latest Atom release by completing any of the following:

• Windows: From the toolbar, click “Help” -> “Check for updates”
• MacOS: From the menu bar, click “Atom” -> “Check for Update”
• Linux: Update manually by downloading the latest release from atom.io

Git on the command line and other clients

In order to be protected from the vulnerability, you must update your command-line version of Git, and any other application that may include an embedded version of Git, as they are independent of each other.

Additional notes

Neither GitHub.com nor GitHub Enterprise are directly affected by the vulnerability. However, as with previously discovered vulnerabilities, GitHub.com will detect malicious repositories, and will reject pushes or API requests attempting to create them. Versions of GitHub Enterprise with this detection will ship on October 9th.

Details of the vulnerability

This vulnerability is very similar to CVE-2017-1000117, as both are option-injection attacks related to submodules. In the earlier attack, a malicious repository would ship a .gitmodules file pointing one of its submodules to a remote repository with an SSH host starting with a dash (-). The ssh program—spawned by Git—would then interpret that as an option. This attack works in a similar way, except that the option-injection is against the child git clone itself.

The problem was reported on September 23 by @joernchen, both to Git’s private security list, as well as to GitHub’s Bug Bounty program. Developers at GitHub worked with the Git community to develop a fix.

The basic fix was clear from the report. However, due to to the similarity to CVE-2017-1000117, we also audited all of the .gitmodules values and implemented stricter checks as appropriate. These checks should prevent a similar vulnerability in another code path. We also implemented detection of potentially malicious submodules as part of Git’s object quality checks (which was made much easier by the infrastructure added during the last submodule-related vulnerability).

The coordinated disclosure date of October 5 was selected by Git developers to allow packagers to prepare for the release. This also provided hosting sites (with custom implementations) ample time to detect and block the attack before it became public. Members of the Git community checked the JGit and libgit2 implementations. Those are not affected by the vulnerability because they clone submodules via function calls rather than separate commands.

We were also able to use the time to scan all repositories on GitHub for evidence of the attack being used in the wild. We’re happy to report that no instances were found (and now, with our detection, none can be added).

Please update your copy of Git soon, and happy cloning!

As the seventh annual js13kGames competition comes to a close, a grand total of 274 games were submitted. Even more impressive, each one was created in a single month, using less than 13 kB.

We rounded up a few of our favorites featuring a number of different styles and genres. From dark shooters and pixelated beat ‘em ups to perplexing puzzle and platform games—enjoy some downtime this weekend and play them all (or fork and hack on them with your own customizations)!

UNDERRUN

UNDERRUN is a twin, stick shooter “in 256 shades of brown,” using webGL from @phoboslab. In this game, you must defend yourself from predators while figuring out how to restore power to fix all system failures. Sounds simple enough, right? See for yourself when you play this highly-addictive shooter (and enjoy the haunting music). Read more about how the game was created in the retrospective.

► Play in your browser · View source

Envisionator

@DennisBengs created the challenging puzzle game, Envisionator. The goal of the game is to escape a building on lockdown by giving a robot commands. What’s the catch? The robot needs you to give it each and every direction, step by step—one false move, and…well, you’ll see! Play Envisionater to see if you can escape.

► Play in your browser · View source

ONOFF

Things aren’t as black and white as they appear in ONOFF. Dodge spikes, jump over pits, and toggle between dimensions. Think you can overcome each level of traps? You’re in for a treat with this mind-boggling, fast-paced platformer from @starzonmyarmz and @braddunbar. Play it to see what we mean!

► Play in your browser · View source

The Chroma Incident

The Chroma Incident by @Rybar is also a twin, stick shooter but with a few more colors than UNDERRUN. The problem is the color’s been stolen by the Achromats, and it’s up to you to bring it back. Shoot your way through areas to reclaim those colors—give it a go!

► Play in your browser · View source

The Matr13k

Get nostalgic and relive some of the intense fight scenes with Neo from The Matrix. Use the arrow keys, S to kick and D punch your way through this JavaScript matrix from @agar3s. Can you find a way to the end of the rabbit hole before it’s too late? Play The Matri13k and test your combat skills.

► Play in your browser · View source

1024 moves

Not to be confused with 2048(!), 1024 Moves is a polished puzzle game from @GregPeck. Get the ball, and avoid the holes—what’s the catch? See if you can solve the entire game in less than 1,024 moves. Play and test your problem-solving skills.

► Play in your browser · View source

Geoquiz 2

Think you know a little bit about world geography? Or are you lost with even the simplest of directions? Prove how much of a geography all-star you are by playing Geoquiz2—or brush up on your worldly knowledge. You can even read about how @xem made the game in the GeoQuiz2 retrospective.

► Play in your browser · View source

Spacecraft

@tricsi’s Spacecraft challenges you to collect as many data tokens as possible from the planets and moons of the Solar System. It’s easy—until gravity accelerates your ship, and you have to avoid obstacles along the way in, “space, the final frontier.” How far can you go before your probe goes offline? The only way to find out is to play on.

► Play in your browser · View source

Off the line

How are your gaming reflexes? You’ll quickly find out when you jump Off the Line to collect coins in this arcade tapper from @regularkid. Take your time to figure out the best way to collect coins, or go crazy with a timed, ultra difficult ULTRA MEGA MODE (if you’re feeling lucky). Play it and see how many coins you can collect.

► Play in your browser · View source

Exo

You are the commander of a long-forgotten expedition to a distant star, and there are forces out to get you. Survive waves upon wave of enemies in Exo, a space-based tower defence game brought to you by @scorp200. Play Exo to unravel the story, arm your base, and reclaim your expedition.

► Play in your browser · View source

Everyone’s Sky

You are in control of your destiny in this space-based exploration game. Will you fight for the good of all or make enemies by being evil? Forge alliances, study star systems, fight against enemy combatants, and more in Everyone’s Sky from @remvst.

► Play in your browser · View source

Submersible Warship 2063

In @herebefrogs’s Submersible Warship 2063, enemy submarines are invading, fast. Make strategic use of your sonar to identify targets and evade torpedoes. Can you beat them before they beat you? Stay off enemy radar, and fight on by playing Submersible Warship 2063.

► Play in your browser · View source

Re-wire

If you enjoy playing high-stakes puzzles, Re-wire was made for you. Bring the system back online by rewiring power nodes, but watch out for the traps! This game from @JMankopf will have you… wired to it for hours.

► Play in your browser · View source

This was such a difficult list to narrow down, as we enjoyed playing all of the JS13K entries. There are hundreds more to discover including a procedurally generated art game, an audio surfing game, and even a 13kB Battle Royale game—watch out PUBG and Fortnite!

View this year’s list of games from 13kGames

Do you have a favorite, a high score, or a fork of your own to share? We’d love to hear about it! Let us know with the #js13k hashtag.

Thank you to everyone who participated, all of the judges, and especially @end3r for running this great competition every year. Until next time! <3

It’s important to us that our users can work the way they want to. For this reason, we’ve built a new integration with Jira allowing software teams to connect their code on GitHub.com to their projects on Jira Software Cloud. The new app updates Jira with data from GitHub, providing your team with visibility into the status of your work. From planning and coding through deployment and measuring impact—this integration provides a more seamless experience.

See the details

Linking your GitHub account to Jira gives your team the ability to see their branches, commit messages, and pull requests right in the context of the Jira tickets they’re working on. You can also view references to Jira in GitHub issues, and pull requests, allowing for a deeper connection. This means you don’t have to constantly switch between GitHub and Jira.

Improved capabilities

The new GitHub-managed app provides improved security, and everything—from installation to setup—is now much easier.

With the improved integration you can:

• Use smart commits to update the status, leave a comment, or log time without leaving your command line or GitHub
• View associated pull requests, commits, and branches from within a Jira ticket
• Search for Jira issues based on related GitHub information, such as open pull requests
• See the status of development work from within Jira projects
• Automatically keep your Jira issue up to date while working in GitHub (through workflow triggers)

Migration path information

The previous version of the Jira integration will be deprecated in favor of this new GitHub-maintained integration. When you install the new app, your Jira Issue data will migrate from GitHub. When the migration is complete, the legacy integration (DVCS connector) is disabled automatically.

Open platform commitment

The integration was built with publicly-available APIs used by other apps in the GitHub ecosystem. In the next month, you’ll be able to contribute code, submit feature requests or bug reports, and learn more about how the app works.

Get started

Install the Jira Software and GitHub app to connect your GitHub repositories to your Jira instance. Check back for updates on an upcoming enterprise version of the Jira Cloud and GitHub integration.

From October 1–31, we’re once again partnering with DigitalOcean and Twilio for Hacktoberfest—a month-long event celebrating the open source community by encouraging developers to contribute to open source projects. This year, we’re also partnering with and highlighting several projects using open source to make the world a better place. We hope you’ll join us in supporting this socially impactful work by contributing to these projects:

alex

Alex makes sure your writing is considerate by catching potential insensitive phrasing.

Support needed:

• Website and documentation help on alexjs.com, including new phrases to catch and improved messages for the words they already catch
• Translation, including possibilities to translate the project into languages other than English or support HTML alongside Markdown and plain-text

Contributor level: Beginner to advanced

REFUGE Restrooms

REFUGE restrooms indexes and maps safe restroom locations for trans, intersex, and gender-nonconforming individuals.

Support needed:

• Multiple areas. The team is looking for help with tasks of all sizes. As an all volunteer open source project, there are plenty of opportunities.

Contributor level: Beginner to advanced

GliaX

The GliaX project is making health care accessible to everyone, everywhere. They use the newest in tech to make high-quality open source medical devices and increase availability to those who need them.

Support needed:

• Usability improvements, including improvements to the stethoscope, otoscope, and tourniquet devices
• Engineering and firmware, including help for the pulse oximeter and electrocardiogram devices

Contributor level: Advanced

HospitalRun

HospitalRun aims to improve access to medical care for some of the most vulnerable patients in the world by improving the software tooling that hospital administrators in charitable hospitals use to facilitate care.

Support needed:

• Bug fixes
• Feature development in Ember.js

Contributor level: Intermediate to advanced with knowledge of Ember.js

if me

If me is an open source, not-for-profit mental health web app that encourages people to share their experiences with loved ones and trusted allies.

Support needed:
The team recently redesigned their app, so there are opportunities to refactor code and improve performance, usability, and accessibility.

• Blog support
• Community organization
• App translation
• Feature improvements

Contributor level: Beginner to advanced

Talk

Talk is an open source commenting platform focused on better conversation, brought to you by Mozilla, The Washington Post, and The New York Times.

Support needed:

• Moderation features like new searching and filtering capabilities or custom moderation queues
• Commenting features like new reactions, new badges, or adding translations
• Features ranging from adding or changing CSS on the frontend to adding custom plugins and API/backend enhancements

Contributor level: Beginner to advanced

Humanitarian OpenStreetMap

Through local people, local tools, and open knowledge, the Humanitarian OpenStreetMap Team works to provide open map data and tools to revolutionize disaster management, reduce risks, and address the world’s toughest challenges. When major disaster strikes anywhere in the world, thousands of volunteers come together online and on the ground to create open map data that enables disaster responders to reach those in need.

Support needed:

• Documentation
• User-experience improvements
• Application performance improvements

Contributor level: Beginner to advanced

OptiKey

OptiKey is an on-screen keyboard designed to help Motor Neuron Disease (MND) patients interact with Windows computers. OptiKey seeks to allow anyone to use their computer fully with only head or eye movements. Never should someone with a disability have to pay for the ability to speak to their loved ones and stay in touch with the world around them.

Support needed:

• Bug fixes
• Technical support for extending OptiKey with new features

Contributor level: Beginner to advanced

---

In addition to inviting you to contribute to these open source projects, we’re hosting a challenge in the GitHub Community Forum where you can get recognition for contributing to projects from the Social Impact Collection during Hacktoberfest. For more information on the challenge or to sign up today, please head over to the challenge home page.

Those who complete the challenge by 11:59pm PT on October 31 will receive a limited edition badge on their Community Forum profile in recognition of their achievement and to thank them for helping projects make a positive impact.

Returning for its second year, Open Jam is an 80-hour game jam brought to you by @Jared-Sprague, @mwcz, and opensource.com. Game jams are focused on creating games with a few constraints, like adhering to a limited time frame in creating a game, staying within a theme, or using only a specific technology. Participants are encouraged to use open source game engines, libraries, tools, and Creative Commons assets.

Last year’s Open Jam theme ‘Leave a mark’ brought about a frenzy of fun games including Stellar Wrath, a game about solar system sabotage created with Godot.

Open Jam is a perfect excuse to experiment with building a game if you haven’t before. With so many tutorials online and a growing number of game engines, it’s easy to make an addictive Java-based text adventure or JavaScript-powered platformer.

The three top-rated games of Open Jam will have their playable demos featured at the All Things Open conference in Raleigh, NC from October 21–23.

Pictured: Stellar Wrath by DualWielding was one of last year’s winners on display at All Things Open.

The 2018 events kicks off on October 5, so keep refreshing the itch.io jam page for the theme announcement, tips, tutorials, and competition details. If you can’t participate in Open Jam, don’t worry—Game Off, GitHub’s very own month-long game jam, will return next month.

Join Open Jam 2018 now