-
git (1:2.40.1-1ubuntu1.1) mantic-security; urgency=medium
* SECURITY UPDATE: Facilitation of arbitrary code execution
- debian/patches/CVE-2024-32002.patch: submodule paths
must not contains symlinks in builtin/submodule--helper.c.
- CVE-2024-32002
* SECURITY UPDATE: Arbitrary code execution
- debian/patches/CVE-2024-32004.patch: detect dubious ownership of
local repositories in path.c, setup.c, setup.h.
- CVE-2024-32004
* SECURITY UPDATE: Overwrite of possible malicious hardlink
- debian/patches/CVE-2024-32020.patch: refuse clones of unsafe
repositories in builtin/clonse.c, t0033-safe-directory.sh.
- CVE-2024-32020
* SECURITY UPDATE: Unauthenticated attacker to place a repository
on their target's local system that contains symlinks
- debian/patches/CVE-2024-32021.patch: abort when hardlinked source and
target file differ in builtin/clone.c
- CVE-2024-32021
* SECURITY UPDATE: Arbitrary code execution
- debian/patches/CVE-2024-32465.patch: disable lazy-fetching by default
in builtin/upload-pack.c, promisor-remote.c
- CVE-2024-32465
-- Leonidas Da Silva Barbosa <email address hidden> Mon, 20 May 2024 08:31:04 -0300
-
git (1:2.40.1-1ubuntu1) mantic; urgency=low
* Merge from Debian unstable. Remaining changes:
- Build diff-highlight in the contrib dir
- Don't build-depend on subversion on i386, it is not reasonable to
support on the partial arch.
* Dropped changes, included upstream:
- debian/patches/CVE-2023_25652_25815_29007/0022-*.patch: apply
--reject overwriting existing .rej symlink if it exists in apply.c,
t/t4115-apply-symlink.sh.
- debian/patches/CVE-2023_25652_25815_29007/0024-*patch:
avoid using gettext if the locale dir is not present in
gettext.c.
- debian/patches/CVE-2023_25652_25815_29007/0025-*.patch: avoid
fixed-sized buffer when renaming/deleting a section in config.c,
t/t1300-config.sh.
- debian/patches/CVE-2023_25652_25815_29007/0026-*.patch: avoid
integer truncation in copy_or_rename_section_in_file() in config.c.
- debian/patches/CVE-2023_25652_25815_29007/0027-*.patch: disallow
overly-long lines in copy_or_rename_section_in_file in config.c.
git (1:2.40.1-1) unstable; urgency=medium
* new upstream point release (see RelNotes/2.40.1.txt; addresses
CVE-2023-25652, CVE-2023-25815 CVE-2023-29007).
git (1:2.40.0-1) unstable; urgency=low
* new upstream release (see RelNotes/2.40.0.txt).
* debian/git-doc.doc-base.{git-index-format,git-pack-format,git-protocol}:
remove from documentation index, as the main git(1) reference
manual is the main entry point to find these.
git (1:2.39.2-1.1) unstable; urgency=medium
* Non-maintainer upload (only changes to git-doc).
* Correct paths in git-doc doc-base control files (Closes: #1023255)
-- Steve Langasek <email address hidden> Thu, 18 May 2023 10:40:53 -0700
-
git (1:2.39.2-1ubuntu1.1) lunar-security; urgency=medium
* SECURITY UPDATE: Overwriting path
- debian/patches/CVE-2023_25652_25815_29007/0022-*.patch: apply
--reject overwriting existing .rej symlink if it exists in apply.c,
t/t4115-apply-symlink.sh.
- CVE-2023-25652
* SECURITY UPDATE: Malicious placement of crafted messages
- debian/patches/CVE-2023_25652_25815_29007/0024-*patch:
avoid using gettext if the locale dir is not present in
gettext.c.
- CVE-2023-25815
* SECURITY UPDATE: Arbitrary configuration injection
- debian/patches/CVE-2023_25652_25815_29007/0025-*.patch: avoid
fixed-sized buffer when renaming/deleting a section in config.c,
t/t1300-config.sh.
- debian/patches/CVE-2023_25652_25815_29007/0026-*.patch: avoid
integer truncation in copy_or_rename_section_in_file() in config.c.
- debian/patches/CVE-2023_25652_25815_29007/0027-*.patch: disallow
overly-long lines in copy_or_rename_section_in_file in config.c.
- CVE-2023-29007
-- Leonidas Da Silva Barbosa <email address hidden> Mon, 24 Apr 2023 13:01:23 -0300
-
git (1:2.39.2-1ubuntu1) lunar; urgency=medium
* Merge from Debian Unstable. Remaining changes:
- Build diff-highlight in the contrib dir
- Don't build-depend on subversion on i386, it is not reasonable to
support on the partial arch.
git (1:2.39.2-1) unstable; urgency=medium
* new upstream point release (see RelNotes/2.39.2.txt). Addresses
CVE-2023-22490 and CVE-2023-23946.
-- Marc Deslauriers <email address hidden> Fri, 17 Feb 2023 10:52:54 -0500