-
git (1:2.39.2-1ubuntu1.1) lunar-security; urgency=medium
* SECURITY UPDATE: Overwriting path
- debian/patches/CVE-2023_25652_25815_29007/0022-*.patch: apply
--reject overwriting existing .rej symlink if it exists in apply.c,
t/t4115-apply-symlink.sh.
- CVE-2023-25652
* SECURITY UPDATE: Malicious placement of crafted messages
- debian/patches/CVE-2023_25652_25815_29007/0024-*patch:
avoid using gettext if the locale dir is not present in
gettext.c.
- CVE-2023-25815
* SECURITY UPDATE: Arbitrary configuration injection
- debian/patches/CVE-2023_25652_25815_29007/0025-*.patch: avoid
fixed-sized buffer when renaming/deleting a section in config.c,
t/t1300-config.sh.
- debian/patches/CVE-2023_25652_25815_29007/0026-*.patch: avoid
integer truncation in copy_or_rename_section_in_file() in config.c.
- debian/patches/CVE-2023_25652_25815_29007/0027-*.patch: disallow
overly-long lines in copy_or_rename_section_in_file in config.c.
- CVE-2023-29007
-- Leonidas Da Silva Barbosa <email address hidden> Mon, 24 Apr 2023 13:01:23 -0300
-
git (1:2.39.2-1ubuntu1) lunar; urgency=medium
* Merge from Debian Unstable. Remaining changes:
- Build diff-highlight in the contrib dir
- Don't build-depend on subversion on i386, it is not reasonable to
support on the partial arch.
git (1:2.39.2-1) unstable; urgency=medium
* new upstream point release (see RelNotes/2.39.2.txt). Addresses
CVE-2023-22490 and CVE-2023-23946.
-- Marc Deslauriers <email address hidden> Fri, 17 Feb 2023 10:52:54 -0500
-
git (1:2.39.1-0.1ubuntu1) lunar; urgency=medium
* Merge from Debian Unstable. Remaining changes:
- Build diff-highlight in the contrib dir
- Don't build-depend on subversion on i386, it is not reasonable to
support on the partial arch.
git (1:2.39.1-0.1) unstable; urgency=medium
* Non-maintainer upload.
* New upstream stable release (Closes: #1029114)
Fixes CVE-2022-23521 and CVE-2022-41903.
git (1:2.39.0-1) unstable; urgency=low
* new upstream release (see RelNotes/2.39.0.txt).
-- Simon Quigley <email address hidden> Sat, 11 Feb 2023 14:55:51 -0600
-
git (1:2.38.1-1ubuntu2) lunar; urgency=medium
* d/p/fix-cpuinfo-regexp.patch: fix cpuinfo regexp to accomodate the
way s390x shows it (LP: #1997475)
-- Andreas Hasenack <email address hidden> Tue, 22 Nov 2022 14:25:40 -0300
-
git (1:2.38.1-1ubuntu1) lunar; urgency=low
* Merge from Debian unstable. Remaining changes:
- Build diff-highlight in the contrib dir
- Don't build-depend on subversion on i386, it is not reasonable to
support on the partial arch.
git (1:2.38.1-1) unstable; urgency=medium
* new upstream release (closes: #1022046; see RelNotes/2.38.0.txt,
RelNotes/2.38.1.txt).
* Addresses the security issue CVE-2022-39253: cloning an
attacker-controlled local repository could store arbitrary files
in the ".git" directory of the destination repository.
Thanks to Cory Snider of Mirantis for reporting this
vulnerability and Taylor Blau for the mitigation.
* Addresses CVE-2022-39260: a long command string passed to a `git
shell` configured to support custom commands could overflow and
run arbitrary code.
Thanks to Kevin Backhouse of GitHub for reporting this
vulnerability and Kevin Backhouse, Jeff King, and Taylor Blau
for mitigating it.
-- Steve Langasek <email address hidden> Mon, 07 Nov 2022 15:50:56 -0800
-
git (1:2.37.2-1ubuntu1) kinetic; urgency=low
* Merge from Debian unstable. Remaining changes:
- Build diff-highlight in the contrib dir
- Don't build-depend on subversion on i386, it is not reasonable to
support on the partial arch.
* Dropped changes, included upstream:
- debian/patches/CVE-2022-29187-1.patch: adds test to
regression git needs safe.directory when using sudo in
t/t0034-root-safe-directory.sh.
- debian/patches/CVE-2022-29187-2.patch: avoid failing dir ownership
checks if running privileged in git-compat-util.h,
t/t0034-root-safe-directory.sh.
- debian/patches/CVE-2022-29187-3.patch: add negative tests
and allow git init to mostly work under sudo in
t/lib-sudo.sh b/t/lib-sudo.sh.
- debian/patches/CVE-2022-29187-4.patch: allow root
to access both SUDO_UID and root owned in git-compat-util.h,
t/t0034-root-safe-directory.sh.
- debian/patches/CVE-2022-29187-6.patch: tighten ownership checks
post CVE-2022-24765 in setup.c.
git (1:2.37.2-1) unstable; urgency=low
* new upstream release (closes: #1016723; see RelNotes/2.37.0.txt,
RelNotes/2.37.1.txt, RelNotes/2.37.2.txt).
-- Steve Langasek <email address hidden> Tue, 16 Aug 2022 11:34:06 -0700
