-
git (1:2.7.4-0ubuntu1.10) xenial-security; urgency=medium
* SECURITY UPDATE: remote code exec during clone on case-insensitive FS
- debian/patches/CVE-2021-21300.patch: fix bug that makes checkout
follow symlinks in leading path in cache.h, compat/mingw.c,
git-compat-util.h, run-command.c, symlinks.c, t/t0021-conversion.sh,
t/t2006-checkout-index-basic.sh, unpack-trees.c.
- CVE-2021-21300
-- Marc Deslauriers <email address hidden> Thu, 04 Mar 2021 08:04:31 -0500
-
git (1:2.7.4-0ubuntu1.9) xenial-security; urgency=medium
* SECURITY UPDATE: credential helper issue with missing host or scheme
- debian/patches/CVE-2020-11008-1.patch: make "quit" helper more
realistic in t/t0300-credentials.sh.
- debian/patches/CVE-2020-11008-2.patch: use more realistic inputs in
t/t0300-credentials.sh.
- debian/patches/CVE-2020-11008-3.patch: parse URL without host as
empty host, not unset in credential.c, http.c,
t/t0300-credentials.sh.
- debian/patches/CVE-2020-11008-4.patch: refuse to operate when missing
host or protocol in credential.c, t/t0300-credentials.sh.
- debian/patches/CVE-2020-11008-5.patch: convert gitmodules url to URL
passed to curl in fsck.c, t/t7416-submodule-dash-url.sh.
- debian/patches/CVE-2020-11008-6.patch: die() when parsing invalid
urls in credential.c, t/t0300-credentials.sh.
- debian/patches/CVE-2020-11008-7.patch: treat URL without scheme as
invalid in credential.c, fsck.c, t/t7416-submodule-dash-url.sh.
- debian/patches/CVE-2020-11008-8.patch: treat URL with empty scheme as
invalid in credential.c, t/t5550-http-fetch-dumb.sh,
t/t7416-submodule-dash-url.sh.
- debian/patches/CVE-2020-11008-9.patch: reject URL with empty host in
.gitmodules in fsck.c, t/t7416-submodule-dash-url.sh.
- CVE-2020-11008
-- Marc Deslauriers <email address hidden> Mon, 20 Apr 2020 12:24:43 -0400
-
git (1:2.7.4-0ubuntu1.8) xenial-security; urgency=medium
* SECURITY UPDATE: credential helper issue with newlines in URL
- debian/patches/CVE-2020-5260-1.patch: avoid writing values with
newlines in credential.c, t/t0300-credentials.sh.
- debian/patches/CVE-2020-5260-2.patch: use test_i18ncmp to check
stderr in t/lib-credential.sh.
- debian/patches/CVE-2020-5260-3.patch: detect unrepresentable values
when parsing urls in credential.c, credential.h,
t/t0300-credentials.sh.
- debian/patches/CVE-2020-5260-4.patch: detect gitmodules URLs with
embedded newlines in fsck.c, t/t7416-submodule-dash-url.sh.
- CVE-2020-5260
-- Marc Deslauriers <email address hidden> Fri, 10 Apr 2020 12:37:56 -0400
-
git (1:2.7.4-0ubuntu1.7) xenial-security; urgency=medium
* SECURITY UPDATE: Multiple security issues
- debian/patches/CVE-2019-13xx/*.patch: upstream patches to fix issues.
- CVE-2019-1348, CVE-2019-1349, CVE-2019-1350, CVE-2019-1351,
CVE-2019-1352, CVE-2019-1353, CVE-2019-1354, CVE-2019-1387,
CVE-2019-19604
-- Marc Deslauriers <email address hidden> Mon, 09 Dec 2019 08:51:27 -0500
-
git (1:2.7.4-0ubuntu1.6) xenial-security; urgency=medium
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2017-15298.patch: fix in diff.h,
revision.c.
- CVE-2017-15298
-- <email address hidden> (Leonidas S. Barbosa) Mon, 26 Nov 2018 09:58:29 -0300
-
git (1:2.7.4-0ubuntu1.5) xenial-security; urgency=medium
* SECURITY UPDATE: arbitrary code execution via submodule URLs and
paths in .gitsubmodules.
- 0001-submodule-helper-use-to-signal-end-of-clone-options.patch,
0002-submodule-config-ban-submodule-urls-that-start-with-.patch,
0003-submodule-config-ban-submodule-paths-that-start-with.patch:
disallow urls and files that begin with '--'.
- 0004-fsck-detect-submodule-urls-starting-with-dash.patch,
0005-fsck-detect-submodule-paths-starting-with-dash.patch:
reject gitmodules that contain submdule urls and files that begin
with '--'.
- CVE-2018-17456
* SECURITY UPDATE: incomplete fix for CVE-2017-14867
- 0006-cvsimport-apply-shell-quoting-regex-globally.patch: escape
all instances of backticks
-- Steve Beattie <email address hidden> Fri, 05 Oct 2018 16:59:03 -0700
-
git (1:2.7.4-0ubuntu1.4) xenial-security; urgency=medium
* SECURITY UPDATE: arbitrary code execution via
submodule names in .gitsubmodules.
- 0014-fsck-simplify-.git-check.patch
- 0015-fsck-actually-fsck-blob-data.patch
- 0016-fsck-detect-gitmodules-files.patch
- 0017-fsck-check-.gitmodules-content.patch
- 0018-fsck-call-fsck_finish-after-fscking-objects.patch
- 0019-unpack-objects-call-fsck_finish-after-fscking-object.patch
- 0020-index-pack-check-.gitmodules-files-with-strict.patch
- CVE-2018-11235 (LP: #1774061)
* SECURITY UPDATE: out-of-bounds memory access when sanity-checking
pathnames on NTFS
- 0002-is_ntfs_dotgit-use-a-size_t-for-traversing-string.patch
- CVE-2018-11233
* Do not allow .gitmodules to be a symlink:
- 0003-is_hfs_dotgit-match-other-.git-files.patch
- 0004-is_ntfs_dotgit-match-other-.git-files.patch
- 0005-is_-hfs-ntfs-_dotgitmodules-add-tests.patch
- 0006-skip_prefix-add-case-insensitive-variant.patch
- 0007-verify_path-drop-clever-fallthrough.patch
- 0008-verify_dotfile-mention-case-insensitivity-in-comment.patch
- 0009-update-index-stat-updated-files-earlier.patch
- 0010-verify_path-disallow-symlinks-in-.gitmodules.patch
- 0011-sha1_file-add-read_loose_object-function.patch
- 0012-fsck-parse-loose-object-paths-directly.patch
- 0013-index-pack-make-fsck-error-message-more-specific.patch
- 0021-fsck-complain-when-.gitmodules-is-a-symlink.patch
* debian/rules: ensure added tests are executable.
-- Steve Beattie <email address hidden> Fri, 01 Jun 2018 23:44:15 -0700
-
git (1:2.7.4-0ubuntu1.3) xenial-security; urgency=high
* SECURITY UPDATE: Git cvsserver OS Command Injection (LP: #1719740)
- shell-drop-git-cvsserver-support-by-default.diff
- cvsserver-use-safe_pipe_capture.diff
- cvsimport-shell-quote-variable-used-in-backticks.diff
- archimport-use-safe_pipe_capture-for-user-input.diff
- CVE-2017-14867
-- Simon Quigley <email address hidden> Tue, 03 Oct 2017 13:14:37 -0500
-
git (1:2.7.4-0ubuntu1.2) xenial-security; urgency=medium
* SECURITY UPDATE: Arbitrary code execution on clients through
malicious ssh URLs.
- debian/patches/CVE-2017-1000117.patch: filter out hostnames that
would interpreted as cli arguments to ssh
- debian/diff/0002-transport-expose-git_tcp_connect-and-friends-in-new-t.diff:
update to adjust for changes from CVE-2017-1000117.patch.
- CVE-2017-1000117
-- Steve Beattie <email address hidden> Thu, 10 Aug 2017 14:15:28 -0700
-
git (1:2.7.4-0ubuntu1.1) xenial-security; urgency=medium
* SECURITY UPDATE: git shell restriction bypass
- debian/patches/CVE-2017-8386.patch: disallow repo names beginning
with dash in shell.c.
- CVE-2017-8386
-- Marc Deslauriers <email address hidden> Fri, 12 May 2017 09:29:55 -0400
-
git (1:2.7.4-0ubuntu1) xenial; urgency=medium
* SECURITY UPDATE: New upstream release to fix denial of service or possible
remote code execution (LP: #1557787)
+ CVE-2016-2324
+ The previous upload only fixed one of the two security issues and 2.7.4
is needed to address the second
-- Tyler Hicks <email address hidden> Tue, 22 Mar 2016 18:32:49 -0500
-
git (1:2.7.3-0ubuntu1) xenial; urgency=medium
* New upstream release, with critical security bugfixes (LP: #1557787)
-- Adam Conrad <email address hidden> Tue, 15 Mar 2016 17:39:56 -0600
-
git (1:2.7.0-1) unstable; urgency=low
* new upstream release.
-- Jonathan Nieder <email address hidden> Tue, 19 Jan 2016 11:04:08 -0800
-
git (1:2.7.0~rc3-1) unstable; urgency=low
* new upstream release candidate (see RelNotes/2.7.0.txt).
* debian/control: Standards-Version: 3.9.6.0.
* debian/control: use HTTPS for Homepage URL.
-- Jonathan Nieder <email address hidden> Mon, 04 Jan 2016 12:25:50 -0800
-
git (1:2.6.4-1) unstable; urgency=medium
* new upstream point release (see RelNotes/2.6.4.txt).
-- Jonathan Nieder <email address hidden> Thu, 10 Dec 2015 16:07:19 -0800
-
git (1:2.6.3-1) unstable; urgency=medium
* new upstream point release (see RelNotes/2.6.3.txt).
-- Jonathan Nieder <email address hidden> Tue, 08 Dec 2015 12:02:26 -0800
-
git (1:2.6.2-1) unstable; urgency=low
* new upstream point release (see RelNotes/2.6.2.txt).
-- Jonathan Nieder <email address hidden> Fri, 23 Oct 2015 11:52:44 -0700
-
git (1:2.6.1-1) unstable; urgency=high
* new upstream point release (see RelNotes/2.6.1.txt).
-- Jonathan Nieder <email address hidden> Mon, 05 Oct 2015 11:16:05 -0700
-
git (1:2.5.0-1) unstable; urgency=low
* new upstream release (see RelNotes/2.5.0.txt).
-- Jonathan Nieder <email address hidden> Tue, 28 Jul 2015 10:47:13 -0700