-
git (1:2.25.1-1ubuntu3.12) focal-security; urgency=medium
* SECURITY UPDATE: Arbitrary code execution
- debian/patches/CVE-2024-32004.patch: detect dubious ownership of
local repositories in path.c, setup.c, setup.h.
- CVE-2024-32004
* SECURITY UPDATE: Overwrite of possible malicious hardlink
- debian/patches/CVE-2024-32020.patch: refuse clones of unsafe
repositories in builtin/clonse.c, t0033-safe-directory.sh.
- CVE-2024-32020
* SECURITY UPDATE: Unauthenticated attacker to place a repository
on their target's local system that contains symlinks
- debian/patches/CVE-2024-32021.patch: abort when hardlinked source and
target file differ in builtin/clone.c
- CVE-2024-32021
* SECURITY UPDATE: Arbitrary code execution
- debian/patches/CVE-2024-32465.patch: disable lazy-fetching by default
in builtin/upload-pack.c, promisor-remote.c
- CVE-2024-32465
-- Leonidas Da Silva Barbosa <email address hidden> Wed, 22 May 2024 11:58:06 -0300
-
git (1:2.25.1-1ubuntu3.11) focal-security; urgency=medium
* SECURITY UPDATE: Overwriting path
- debian/patches/CVE-2023_25652_25815_29007/0022-*.patch: apply
--reject overwriting existing .rej symlink if it exists in apply.c,
t/t4115-apply-symlink.sh.
- CVE-2023-25652
* SECURITY UPDATE: Malicious placement of crafted messages
- debian/patches/CVE-2023_25652_25815_29007/0024-*patch:
avoid using gettext if the locale dir is not present in
gettext.c.
- CVE-2023-25815
* SECURITY UPDATE: Arbitrary configuration injection
- debian/patches/CVE-2023_25652_25815_29007/0025-*.patch: avoid
fixed-sized buffer when renaming/deleting a section in config.c,
t/t1300-config.sh.
- debian/patches/CVE-2023_25652_25815_29007/0026-*.patch: avoid
integer truncation in copy_or_rename_section_in_file() in config.c.
- debian/patches/CVE-2023_25652_25815_29007/0027-*.patch: disallow
overly-long lines in copy_or_rename_section_in_file in config.c.
- CVE-2023-29007
-- Leonidas Da Silva Barbosa <email address hidden> Wed, 26 Apr 2023 09:52:23 -0300
-
git (1:2.25.1-1ubuntu3.10) focal-security; urgency=medium
* SECURITY UPDATE: Overwritten path and using
local clone optimization even when using a non-local transport
- debian/patches/CVE_2023-22490_and_23946/0002-*.patch: adjust
a mismatch data type in attr.c.
- debian/patches/CVE_2023-22490_and_23946/0003-*.patch: demonstrate
clone_local() with ambiguous transport in
t/t5619-clone-local-ambiguous-transport.sh.
- debian/patches/CVE_2023-22490_and_23946/0004-*.patch: delay
picking a transport until after get_repo_path() in builtin/clone.c.
- debian/patches/CVE_2023-22490_and_23946/0005-*.patch: prevent top-level
symlinks without FOLLOW_SYMLINKS in dir-iterator, dir-iterator.h,
t/t0066-dir-iterator.sh, t/t5604-clone-reference.sh.
- debian/patches/CVE_2023-22490_and_23946/0006-*.patch: fix writing behind
newly created symbolic links in apply.c, t/t4115-apply-symlink.sh.
- CVE-2023-22490
- CVE-2023-23946
-- Leonidas Da Silva Barbosa <email address hidden> Wed, 08 Feb 2023 11:21:13 -0300
-
git (1:2.25.1-1ubuntu3.8) focal-security; urgency=medium
* SECURITY REGRESSION: Previous update was incomplete what could causes regressions
- debian/patches/CVE_2022_23521_and_41903/0012-*.patch: update patch with
missed parts (LP: #2003246).
-- Leonidas Da Silva Barbosa <email address hidden> Thu, 19 Jan 2023 08:22:47 -0300
-
git (1:2.25.1-1ubuntu3.7) focal-security; urgency=medium
* SECURITY UPDATE: Integer overflow
- debian/patches/CVE_2022_23521_and_41903/00*.patch:
attr.c, attr.h, pretty.c, column.c, utf8.c, utf8.h,
t/t4205-log-pretty-formats.sh, t/test-lib.sh, git-compat-util.h,
t/t0003-attributes.sh.
- CVE-2022-23521
- CVE-2022-41903
-- Leonidas Da Silva Barbosa <email address hidden> Thu, 12 Jan 2023 09:56:29 -0300
-
git (1:2.25.1-1ubuntu3.6) focal-security; urgency=medium
* SECURITY UPDATE: Unexpected behavior
- debian/patches/CVE-2022-39253-*.patch: disallow --local
clones with symlinks and additionally changed the
protocol.file.allow to be user by default in
builtin/clone.c, transport.c, and modified tests in
t/t5604-clone-reference.sh,
lib-submodule-update.sh, t/t1091-sparse-checkout-builtin.sh,
t/t1500-rev-parse.sh, t/t2400-worktree-add.sh,
t/t2403-worktree-move.sh, t/t2405-worktree-submodule.sh,
t/t3200-branch.sh, t/t3420-rebase-autostash.sh,
t/t3426-rebase-submodule.sh, t/t3512-cherry-pick-submodule.sh,
t/t3600-rm.sh, t/t3906-stash-submodule.sh,
t/t4059-diff-submodule-not-initialized.sh,
t/t4060-diff-submodule-option-diff-format.sh,
t/t4067-diff-partial-clone.sh,
t/t4208-log-magic-pathspec.sh, t/t5510-fetch.sh,
t/t5526-fetch-submodules.sh, t/t5545-push-options.sh,
t/t5572-pull-submodule.sh, t/t5601-clone.sh,
t/t5614-clone-submodules-shallow.sh, t/t5616-partial-clone.sh,
t/t5617-clone-submodules-remote.sh, t/t6008-rev-list-submodule.sh,
t/t6134-pathspec-in-submodule.sh,
t/t7001-mv.sh, t/t7064-wtstatus-pv2.sh,
t/t7300-clean.sh, t/t7400-submodule-basic.sh,
t/t7403-submodule-sync.sh, t/t7406-submodule-update.sh,
t/t7407-submodule-foreach.sh, t/t7408-submodule-reference.sh,
t/t7409-submodule-detached-work-tree.sh, t/t7411-submodule-config.sh,
t/t7413-submodule-is-active.sh, t/t7414-submodule-mistakes.sh,
t/t7415-submodule-names.sh, t/t7416-submodule-dash-url.sh,
t/t7417-submodule-path-url.sh, t/t7418-submodule-sparse-gitmodules.sh,
t/t7419-submodule-set-branch.sh, t/t7420-submodule-set-url.sh,
t/t7421-submodule-summary-add.sh, t/t7506-status-submodule.sh,
t/t7507-commit-verbose.sh, t/t7800-difftool.sh,
t/t7814-grep-recurse-submodules.sh, t/t9304-fast-import-marks.sh,
t/t9350-fast-export.sh, t/t1092-sparse-checkout-compatibility.sh,
t/t2080-parallel-checkout-basics.sh, t/t7450-bad-git-dotfiles.sh.
- CVE-2022-39253
* SECURITY UPDATE: Arbitrary heap writes
- debian/patches/CVE-2022-39260-*.patch: limit size of interactive
commands and reject too-long cmdline strings in split cmdline()
in shell.c, t/t9850-shell.sh, alias.c.
- CVE-2022-39260
-- Leonidas Da Silva Barbosa <email address hidden> Thu, 13 Oct 2022 13:36:40 -0300
-
git (1:2.25.1-1ubuntu3.5) focal-security; urgency=medium
* SECURITY UPDATE: Potential arbitrary code execution
- debian/patches/CVE-2022-29187-1.patch: adds test to
regression git needs safe.directory when using sudo in
t/t0034-root-safe-directory.sh.
- debian/patches/CVE-2022-29187-2.patch: avoid failing dir ownership
checks if running privileged in git-compat-util.h,
t/t0034-root-safe-directory.sh.
- debian/patches/CVE-2022-29187-3.patch: add negative tests
and allow git init to mostly work under sudo in
t/lib-sudo.sh b/t/lib-sudo.sh.
- debian/patches/CVE-2022-29187-4.patch: allow root
to access both SUDO_UID and root owned in git-compat-util.h,
t/t0034-root-safe-directory.sh.
- debian/patches/CVE-2022-29187-5.patch: add tests for safe.directory
in t/t0033-safe-directory.sh, setup.c.
- debian/patches/CVE-2022-29187-6.patch: tighten ownership checks
post CVE-2022-24765 in setup.c.
- CVE-2022-29187
-- Leonidas Da Silva Barbosa <email address hidden> Tue, 05 Jul 2022 12:13:30 -0300
-
git (1:2.25.1-1ubuntu3.4) focal-security; urgency=medium
* SECURITY REGRESSION: Previous update was incomplete causing regressions
and not correctly fixing the issue.
- debian/patches/CVE-2022-24765-5.patch: fix safe.directory
key not being checked in setup.c.
- debian/patches/CVE-2022-24765-6.patch:
opt-out of check with safe.directory=* in setup.c. (LP: #1970260)
-- Leonidas Da Silva Barbosa <email address hidden> Mon, 25 Apr 2022 20:21:34 -0300
-
git (1:2.25.1-1ubuntu3.3) focal-security; urgency=medium
* SECURITY UPDATE: Run commands in diff users
- debian/patches/CVE-2022-24765-*.patch: fix GIT_CEILING_DIRECTORIES; add
an owner check for the top-level-directory; add a function to
determine whether a path is owned by the current user in patch.c,
t/t0060-path-utils.sh, setup.c, compat/mingw.c, compat/mingw.h,
git-compat-util.h.
- CVE-2022-24765
-- Leonidas Da Silva Barbosa <email address hidden> Fri, 08 Apr 2022 09:57:16 -0300
-
git (1:2.25.1-1ubuntu3.2) focal-security; urgency=medium
* SECURITY UPDATE: cross-protocol request via newline character in repo path
- debian/patches/CVE-2021-40330.patch: forbid newline in git:// hosts and
repo paths
- CVE-2021-40330
-- Spyros Seimenis <email address hidden> Thu, 09 Sep 2021 14:42:33 +0300
-
git (1:2.25.1-1ubuntu3.1) focal-security; urgency=medium
* SECURITY UPDATE: remote code exec during clone on case-insensitive FS
- debian/patches/CVE-2021-21300.patch: fix bug that makes checkout
follow symlinks in leading path in cache.h, compat/mingw.c,
git-compat-util.h, run-command.c, symlinks.c, t/t0021-conversion.sh,
t/t0021/rot13-filter.pl, t/t2006-checkout-index-basic.sh,
unpack-trees.c.
- CVE-2021-21300
-- Marc Deslauriers <email address hidden> Thu, 04 Mar 2021 08:01:28 -0500
-
git (1:2.25.1-1ubuntu3) focal; urgency=medium
* SECURITY UPDATE: credential helper issue with missing host or scheme
- debian/patches/CVE-2020-11008-1.patch: make "quit" helper more
realistic in t/t0300-credentials.sh.
- debian/patches/CVE-2020-11008-2.patch: use more realistic inputs in
t/t0300-credentials.sh.
- debian/patches/CVE-2020-11008-3.patch: parse URL without host as
empty host, not unset in credential.c, http.c,
t/t0300-credentials.sh.
- debian/patches/CVE-2020-11008-4.patch: refuse to operate when missing
host or protocol in credential.c, t/t0300-credentials.sh.
- debian/patches/CVE-2020-11008-5.patch: convert gitmodules url to URL
passed to curl in fsck.c, t/t7416-submodule-dash-url.sh.
- debian/patches/CVE-2020-11008-6.patch: die() when parsing invalid
urls in credential.c, t/t0300-credentials.sh.
- debian/patches/CVE-2020-11008-7.patch: treat URL without scheme as
invalid in credential.c, fsck.c, t/t5550-http-fetch-dumb.sh,
t/t7416-submodule-dash-url.sh.
- debian/patches/CVE-2020-11008-8.patch: treat URL with empty scheme as
invalid in credential.c, t/t5550-http-fetch-dumb.sh,
t/t7416-submodule-dash-url.sh.
- debian/patches/CVE-2020-11008-9.patch: reject URL with empty host in
.gitmodules in fsck.c, t/t7416-submodule-dash-url.sh.
- CVE-2020-11008
-- Marc Deslauriers <email address hidden> Mon, 20 Apr 2020 11:50:03 -0400
-
git (1:2.25.1-1ubuntu2) focal; urgency=medium
* SECURITY UPDATE: credential helper issue with newlines in URL
- debian/patches/CVE-2020-5260-1.patch: avoid writing values with
newlines in credential.c, t/t0300-credentials.sh.
- debian/patches/CVE-2020-5260-2.patch: use test_i18ncmp to check
stderr in t/lib-credential.sh.
- debian/patches/CVE-2020-5260-3.patch: detect unrepresentable values
when parsing urls in credential.c, credential.h,
t/t0300-credentials.sh.
- debian/patches/CVE-2020-5260-4.patch: detect gitmodules URLs with
embedded newlines in fsck.c, t/t7416-submodule-dash-url.sh.
- CVE-2020-5260
-- Marc Deslauriers <email address hidden> Tue, 14 Apr 2020 08:31:47 -0400
-
git (1:2.25.1-1ubuntu1) focal; urgency=low
* Merge from Debian unstable. Remaining changes:
- Build diff-highlight in the contrib dir (closes: #868871, LP: #1713690)
- Don't build-depend on subversion on i386, it is not reasonable to
support on the partial arch.
git (1:2.25.1-1) unstable; urgency=low
* new upstream point release (see RelNotes/2.25.1.txt).
* update debian/copyright.
* debian/control: remove Gerrit Pape from the Maintainer field,
as requested. Thanks to Gerrit for putting together this
package in a way that has been pleasant to maintain.
* debian/rules: use "dpkg-architecture" instead of "uname -m" to
retrieve host arch. This makes the resulting "git version
--build-options" more predictable when building for i386 on an
amd64 machine (thx to Ceridwen for detecting this in reprotest).
-- Steve Langasek <email address hidden> Thu, 20 Feb 2020 14:55:13 -0800
-
git (1:2.25.0-1ubuntu1) focal; urgency=medium
* Resynchronise with Debian. Remaining changes:
- Build diff-highlight in the contrib dir (closes: #868871, LP: #1713690)
- Don't build-depend on subversion on i386, it is not reasonable to
support on the partial arch.
git (1:2.25.0-1) unstable; urgency=low
* new upstream release (see RelNotes/2.25.0.txt).
* build against Python 3 (thx Steve Langasek, closes: #948832).
git (1:2.25.0~rc2-1) unstable; urgency=low
* new upstream release candidate.
git (1:2.25.0~rc1-1) unstable; urgency=low
* new upstream release candidate.
git (1:2.25.0~rc0-1) unstable; urgency=low
* new upstream release candidate (see RelNotes/2.25.0.txt).
-- Marc Deslauriers <email address hidden> Thu, 30 Jan 2020 13:20:28 -0500
-
git (1:2.24.0-1ubuntu2) focal; urgency=medium
* Don't build-depend on subversion on i386, it is not reasonable to
support on the partial arch.
* Set PYTHON_PATH=/usr/bin/python2 and build-depend on python2 not python.
-- Steve Langasek <email address hidden> Mon, 13 Jan 2020 07:04:49 -0800
-
git (1:2.24.0-1ubuntu1) focal; urgency=medium
* Resynchronise with Debian. Remaining changes:
- Build diff-highlight in the contrib dir (closes: #868871, LP: #1713690)
git (1:2.24.0-1) unstable; urgency=medium
* new upstream release (see RelNotes/2.24.0.txt).
git (1:2.24.0~rc2-1) unstable; urgency=low
* new upstream release candidate.
git (1:2.24.0~rc1-1) unstable; urgency=medium
* new upstream release candidate.
* test-tool: read --total as an int, not uint64 (thx John Paul Adrian
Glaubitz; closes: #942674)
git (1:2.24.0~rc0-1) unstable; urgency=medium
* new upstream release candidate (see RelNotes/2.24.0.txt).
git (1:2.23.0-1) unstable; urgency=medium
* new upstream release (see RelNotes/2.23.0.txt).
git (1:2.23.0~rc1-1) unstable; urgency=low
* new upstream release candidate.
* tests: sort output of hashmap iteration (closes: #933519)
git (1:2.23.0~rc0-1) unstable; urgency=low
* new upstream release candidate (see RelNotes/2.23.0.txt).
git (1:2.22.0-1) unstable; urgency=low
* new upstream release (see RelNotes/2.21.0.txt, RelNotes/2.22.0.txt).
-- Colin Watson <email address hidden> Wed, 13 Nov 2019 11:51:13 +0000
-
git (1:2.20.1-2ubuntu1) disco; urgency=medium
* Merge with Debian; remaining change:
- Build diff-highlight in the contrib dir (closes: #868871, LP: #1713690)
* Dropped change:
- Build against pcre3 (pcre2 is now in main) (LP: #1792544)
git (1:2.20.1-2) unstable; urgency=low
* package git-gui: actually Suggests: meld for mergetool support;
describe what meld is used for in package description (thx Jens
Reyer; closes: #707790).
* package gitweb: Depends: libhttp-date-perl | libtime-parsedate-perl
instead of ... | libtime-modules-perl (thx gregor herrmann; closes:
#879165).
* debian/control: use https in Vcs-Browser URL.
* debian/rules: build and test quietly if DEB_BUILD_OPTIONS=terse.
* debian/control: Standards-Version: 4.3.0.1.
git (1:2.20.1-1) unstable; urgency=medium
* new upstream point release (see RelNotes/2.20.1.txt).
* package git-gui: Suggests: meld for mergetool support (thx Jens
Reyer; closes: #707790).
git (1:2.20.0-1) unstable; urgency=medium
* new upstream release (see RelNotes/2.20.0.txt).
* package git: Recommends: ca-certificates for https support (thx HJ;
closes: #915644).
git (1:2.20.0~rc2-1) unstable; urgency=low
* new upstream release candidate.
* rebase: specify 'rebase -i' in reflog for interactive rebase
(closes: #914695).
git (1:2.20.0~rc1-1) unstable; urgency=low
* new upstream release candidate (see RelNotes/2.20.0.txt).
* debian/rules: target clean: don't remove t/t4256/1/mailinfo.c.orig.
git (1:2.19.2-1) unstable; urgency=high
* new upstream point release (see RelNotes/2.19.2.txt).
* run-command: do not fall back to cwd when command is not in $PATH.
-- Jeremy Bicha <email address hidden> Wed, 23 Jan 2019 11:30:48 -0500
