git-annex 6.20180626 is an important security fix release.

See the advisory for details about the security holes fixed in this release.

After upgrading git-annex, you should restart any git-annex assistant processes.

Several changes to git-annex's behavior had to be made as part of the security fixes:

  • A security fix has changed git-annex to refuse to download content from some special remotes when the content cannot be verified with a hash check. In particular URL and WORM keys stored on such remotes won't be downloaded. See the documentation of the annex.security.allow-unverified-downloads configuration for how to deal with this if it affects your files.

  • A security fix has changed git-annex to only support http, https, and ftp URL schemes by default. You can enable other URL schemes, at your own risk, using annex.security.allowed-url-schemes.

  • A related security fix prevents git-annex from connecting to http servers (and proxies) on localhost or private networks. This can be overridden, at your own risk, using annex.security.allowed-http-addresses.

  • Setting annex.web-options no longer is enough to make curl be used, and youtube-dl is also no longer used by default. See the documentation of annex.security.allowed-http-addresses for details and how to enable them.

  • The annex.web-download-command configuration has been removed, use annex.web-options instead.