pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/devel git: Update to 2.24.1
details: https://anonhg.NetBSD.org/pkgsrc/rev/28144075db29
branches: trunk
changeset: 345350:28144075db29
user: leot <leot%pkgsrc.org@localhost>
date: Tue Dec 10 18:32:38 2019 +0000
description:
git: Update to 2.24.1
Changes:
2.24.1
======
This release merges up the fixes that appear in v2.14.6, v2.15.4,
v2.17.3, v2.20.2 and in v2.21.1, addressing the security issues
CVE-2019-1348, CVE-2019-1349, CVE-2019-1350, CVE-2019-1351,
CVE-2019-1352, CVE-2019-1353, CVE-2019-1354, CVE-2019-1387, and
CVE-2019-19604.
* CVE-2019-1348:
The --export-marks option of git fast-import is exposed also via
the in-stream command feature export-marks=... and it allows
overwriting arbitrary paths.
* CVE-2019-1349:
When submodules are cloned recursively, under certain circumstances
Git could be fooled into using the same Git directory twice. We now
require the directory to be empty.
* CVE-2019-1350:
Incorrect quoting of command-line arguments allowed remote code
execution during a recursive clone in conjunction with SSH URLs.
* CVE-2019-1351:
While the only permitted drive letters for physical drives on
Windows are letters of the US-English alphabet, this restriction
does not apply to virtual drives assigned via subst <letter>:
<path>. Git mistook such paths for relative paths, allowing writing
outside of the worktree while cloning.
* CVE-2019-1352:
Git was unaware of NTFS Alternate Data Streams, allowing files
inside the .git/ directory to be overwritten during a clone.
* CVE-2019-1353:
When running Git in the Windows Subsystem for Linux (also known as
"WSL") while accessing a working directory on a regular Windows
drive, none of the NTFS protections were active.
* CVE-2019-1354:
Filenames on Linux/Unix can contain backslashes. On Windows,
backslashes are directory separators. Git did not use to refuse to
write out tracked files with such filenames.
* CVE-2019-1387:
Recursive clones are currently affected by a vulnerability that is
caused by too-lax validation of submodule names, allowing very
targeted attacks via remote code execution in recursive clones.
Credit for finding these vulnerabilities goes to Microsoft Security
Response Center, in particular to Nicolas Joly. The `fast-import`
fixes were provided by Jeff King, the other fixes by Johannes
Schindelin with help from Garima Singh.
* CVE-2019-19604:
The change to disallow `submodule.<name>.update=!command` entries in
`.gitmodules` which was introduced v2.15.4 (and for which v2.17.3
added explicit fsck checks) fixes the vulnerability in v2.20.x where
a recursive clone followed by a submodule update could execute code
contained within the repository without the user explicitly having
asked for that.
Credit for finding this vulnerability goes to Joern Schneeweisz,
credit for the fixes goes to Jonathan Nieder.
diffstat:
devel/git-base/Makefile | 3 +--
devel/git-base/distinfo | 10 +++++-----
devel/git/Makefile.version | 4 ++--
3 files changed, 8 insertions(+), 9 deletions(-)
diffs (45 lines):
diff -r 21066a87d861 -r 28144075db29 devel/git-base/Makefile
--- a/devel/git-base/Makefile Tue Dec 10 18:17:16 2019 +0000
+++ b/devel/git-base/Makefile Tue Dec 10 18:32:38 2019 +0000
@@ -1,9 +1,8 @@
-# $NetBSD: Makefile,v 1.71 2019/11/26 10:22:17 wiz Exp $
+# $NetBSD: Makefile,v 1.72 2019/12/10 18:32:38 leot Exp $
.include "../../devel/git/Makefile.common"
PKGNAME= git-base-${GIT_VERSION}
-PKGREVISION= 1
COMMENT= GIT Tree History Storage Tool (base package)
CONFLICTS+= scmgit-base-[0-9]*
diff -r 21066a87d861 -r 28144075db29 devel/git-base/distinfo
--- a/devel/git-base/distinfo Tue Dec 10 18:17:16 2019 +0000
+++ b/devel/git-base/distinfo Tue Dec 10 18:32:38 2019 +0000
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.92 2019/11/08 12:52:30 ryoon Exp $
+$NetBSD: distinfo,v 1.93 2019/12/10 18:32:38 leot Exp $
-SHA1 (git-2.24.0.tar.xz) = 851537fc03f5a99419ef20e9b836de965c7928bd
-RMD160 (git-2.24.0.tar.xz) = 28b19ca928fcf8182f27031b3e2ec3e08a2b0584
-SHA512 (git-2.24.0.tar.xz) = 31c8c001fdea3b1e3e732cc42299979f1329d564f76d3950c90a0090afc1fa1ba50bdb7f86da92066843887986cc73a34c13dd651566d1af9036ecbe8aee42c3
-Size (git-2.24.0.tar.xz) = 5766056 bytes
+SHA1 (git-2.24.1.tar.xz) = 4b7f157c30f2929bb8862e991ec9a539d3a6651b
+RMD160 (git-2.24.1.tar.xz) = 7e2f48ce850b1ee4d3dd459e08b28db15d87537a
+SHA512 (git-2.24.1.tar.xz) = 010c13d4023c142876d0e075a394b74bef422944d8ca602325d0b2b47bf28b1d534283c7f295751113c83fdfcc0c91f97090e8f906560d44b04a94607fd8fcf7
+Size (git-2.24.1.tar.xz) = 5772304 bytes
SHA1 (patch-Documentation_Makefile) = 06460f220b4703a1ff98809006ec1aed5017bb23
SHA1 (patch-Makefile) = 73741b9d9a1b32bb47db48a7c546c4ff10fb41d6
SHA1 (patch-builtin_receive-pack.c) = 271df08d874a11b41f33aade64352040bc028fa2
diff -r 21066a87d861 -r 28144075db29 devel/git/Makefile.version
--- a/devel/git/Makefile.version Tue Dec 10 18:17:16 2019 +0000
+++ b/devel/git/Makefile.version Tue Dec 10 18:32:38 2019 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile.version,v 1.81 2019/11/08 12:24:31 adam Exp $
+# $NetBSD: Makefile.version,v 1.82 2019/12/10 18:32:38 leot Exp $
#
# used by devel/git/Makefile.common
# used by devel/git-cvs/Makefile
# used by devel/git-svn/Makefile
-GIT_VERSION= 2.24.0
+GIT_VERSION= 2.24.1
Home |
Main Index |
Thread Index |
Old Index