Publishing details

Changelog

git (1:2.7.4-0ubuntu1.5~ubuntu14.04.1~ppa1) trusty; urgency=medium

  * No-change backport to trusty

git (1:2.7.4-0ubuntu1.5) xenial-security; urgency=medium

  * SECURITY UPDATE: arbitrary code execution via submodule URLs and
    paths in .gitsubmodules.
    - 0001-submodule-helper-use-to-signal-end-of-clone-options.patch,
      0002-submodule-config-ban-submodule-urls-that-start-with-.patch,
      0003-submodule-config-ban-submodule-paths-that-start-with.patch:
      disallow urls and files that begin with '--'.
    - 0004-fsck-detect-submodule-urls-starting-with-dash.patch,
      0005-fsck-detect-submodule-paths-starting-with-dash.patch:
      reject gitmodules that contain submdule urls and files that begin
      with '--'.
    - CVE-2018-17456
  * SECURITY UPDATE: incomplete fix for CVE-2017-14867
    - 0006-cvsimport-apply-shell-quoting-regex-globally.patch: escape
      all instances of backticks

git (1:2.7.4-0ubuntu1.4) xenial-security; urgency=medium

  * SECURITY UPDATE: arbitrary code execution via
    submodule names in .gitsubmodules.
    - 0014-fsck-simplify-.git-check.patch
    - 0015-fsck-actually-fsck-blob-data.patch
    - 0016-fsck-detect-gitmodules-files.patch
    - 0017-fsck-check-.gitmodules-content.patch
    - 0018-fsck-call-fsck_finish-after-fscking-objects.patch
    - 0019-unpack-objects-call-fsck_finish-after-fscking-object.patch
    - 0020-index-pack-check-.gitmodules-files-with-strict.patch
    - CVE-2018-11235 (LP: #1774061)
  * SECURITY UPDATE: out-of-bounds memory access when sanity-checking
    pathnames on NTFS
    - 0002-is_ntfs_dotgit-use-a-size_t-for-traversing-string.patch
    - CVE-2018-11233
  * Do not allow .gitmodules to be a symlink:
    - 0003-is_hfs_dotgit-match-other-.git-files.patch
    - 0004-is_ntfs_dotgit-match-other-.git-files.patch
    - 0005-is_-hfs-ntfs-_dotgitmodules-add-tests.patch
    - 0006-skip_prefix-add-case-insensitive-variant.patch
    - 0007-verify_path-drop-clever-fallthrough.patch
    - 0008-verify_dotfile-mention-case-insensitivity-in-comment.patch
    - 0009-update-index-stat-updated-files-earlier.patch
    - 0010-verify_path-disallow-symlinks-in-.gitmodules.patch
    - 0011-sha1_file-add-read_loose_object-function.patch
    - 0012-fsck-parse-loose-object-paths-directly.patch
    - 0013-index-pack-make-fsck-error-message-more-specific.patch
    - 0021-fsck-complain-when-.gitmodules-is-a-symlink.patch
  * debian/rules: ensure added tests are executable.

git (1:2.7.4-0ubuntu1.3) xenial-security; urgency=high

  * SECURITY UPDATE: Git cvsserver OS Command Injection (LP: #1719740)
    - shell-drop-git-cvsserver-support-by-default.diff
    - cvsserver-use-safe_pipe_capture.diff
    - cvsimport-shell-quote-variable-used-in-backticks.diff
    - archimport-use-safe_pipe_capture-for-user-input.diff
    - CVE-2017-14867

git (1:2.7.4-0ubuntu1.2) xenial-security; urgency=medium

  * SECURITY UPDATE: Arbitrary code execution on clients through
    malicious ssh URLs.
    - debian/patches/CVE-2017-1000117.patch: filter out hostnames that
      would interpreted as cli arguments to ssh
    - debian/diff/0002-transport-expose-git_tcp_connect-and-friends-in-new-t.diff:
      update to adjust for changes from CVE-2017-1000117.patch.
    - CVE-2017-1000117

git (1:2.7.4-0ubuntu1.1) xenial-security; urgency=medium

  * SECURITY UPDATE: git shell restriction bypass
    - debian/patches/CVE-2017-8386.patch: disallow repo names beginning
      with dash in shell.c.
    - CVE-2017-8386

git (1:2.7.4-0ubuntu1) xenial; urgency=medium

  * SECURITY UPDATE: New upstream release to fix denial of service or possible
    remote code execution (LP: #1557787)
    + CVE-2016-2324
    + The previous upload only fixed one of the two security issues and 2.7.4
      is needed to address the second

git (1:2.7.3-0ubuntu1) xenial; urgency=medium

  * New upstream release, with critical security bugfixes (LP: #1557787)

git (1:2.7.0-1) unstable; urgency=low

  * new upstream release.

git (1:2.7.0~rc3-1) unstable; urgency=low

  * new upstream release candidate (see RelNotes/2.7.0.txt).
  * debian/control: Standards-Version: 3.9.6.0.
  * debian/control: use HTTPS for Homepage URL.

git (1:2.6.4-1) unstable; urgency=medium

  * new upstream point release (see RelNotes/2.6.4.txt).

git (1:2.6.3-1) unstable; urgency=medium

  * new upstream point release (see RelNotes/2.6.3.txt).

git (1:2.6.2-1) unstable; urgency=low

  * new upstream point release (see RelNotes/2.6.2.txt).

git (1:2.6.1-1) unstable; urgency=high

  * new upstream point release (see RelNotes/2.6.1.txt).

git (1:2.6.0-1) unstable; urgency=low

  * new upstream release (see RelNotes/2.6.0.txt).

git (1:2.5.3-1) unstable; urgency=medium

  * new upstream point release (see RelNotes/2.5.2.txt, 2.5.3.txt).

git (1:2.5.1-1) unstable; urgency=medium

  * new upstream point release (see RelNotes/2.5.1.txt).

git (1:2.5.0-1) unstable; urgency=low

  * new upstream release (see RelNotes/2.5.0.txt).

git (1:2.4.6-1) unstable; urgency=medium

  * new upstream release (see RelNotes/2.[234].*.txt).
  * debian/rules: use install-html target for git-subtree docs
    (see #768795).
  * gitweb: Pre-Depends: dpkg 1.16.1 for -noawait support.
  * gitweb.apache2.conf: make configuration conditional on MIME
    support (thx Uwe Storbeck; closes: #775236).

git (1:2.1.4-2.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Use interest-noawait triggers for gitweb to avoid a
    trigger cycle.  (Closes: #774607)

git (1:2.1.4-2) unstable; urgency=medium

  * update gitweb configuration for Apache 2.4:
    * apache2.conf:
      * make configuration conditional on CGI and alias support.
      * put explicit '+' before FollowSymLinks option.
    * README.Debian: update with new configuration file path.
      Mention CGI support requirement.
    * prerm: fix typo in last line (it should be "fi", not "then").
    * update version number in conffile handling code to handle
      upgrades within testing.

git (1:2.1.4-1) unstable; urgency=medium

  * new upstream point release (CVE-2014-9390).
    * checkout: tighten exit code handling on errors.
    * avoid writing filenames to the work tree that some filesystems
      do not distinguish from ".git".
      * reject ".gIt" and other path components that case-fold
        to ".git" in "git checkout", "git add", and "git fsck".
      * new '[core] protectHFS' setting to reject path components
        such as ".Git\u200f" that HFS+ folds to ".git" in
        "git checkout" and "git add".  Always reject such paths
        in "git fsck".  (U+200F is the Unicode right-to-left
        mark.)
      * new '[core] protectNTFS' setting to reject path components
        such as ".Git " that NTFS folds to ".git" in "git checkout"
        and "git add".  Always reject such paths in "git fsck".
  * gitweb: use apache 2.4-compatible configuration (thx Jean-Michel
    Nirgal Vourgère for advice; closes: #669292).
    * rules, conffiles: Apache configuration goes in
      /etc/apache2/conf-available, not conf.d.
    * preinst, postinst, postrm: use dpkg-maintscript-helper to
      rename the conffile and preserve local changes.
    * postinst, prerm, postrm: use apache2-maintscript-helper if
      present to load and unload gitweb configuration.
    * implicit: check for debian/$pkg.triggers.
    * triggers: re-run postinst when apache2-maintscript-helper is
      installed.
    * control:
      * Pre-Depends: dpkg 1.15.8 for dpkg-maintscript-helper.
      * Breaks: apache2.2-common because the Apache configuration
        requires version 2.4.
  * debian/diff/0009-git-svn-use-SVN-Ra-get_dir2-when-possible.diff:
    new from upstream: git svn: use get_dir2 instead of get_dir when
    possible (thx Eric Wong; works around: #767530).
  * debian/diff/0010-gitweb-hack-around-CGI-s-list-context-...diff:
    new from upstream: gitweb: be explicit about use of param() in list
    context, avoiding log noiose with libcgi-pm-perl >= 4.08 and a test
    failure in t9500-gitweb-standalone-no-errors.sh (thx Reiner
    Herrmann; closes: #770655).
  * correct spelling of Roland Mas's name in the 1:2.1.3-1 changelog
    entry.

git (1:2.1.3-1) unstable; urgency=low

  * new upstream point release.
    * config --add: avoid segfault when key already has an empty value.
    * remote-http: avoid failure due to command line length limits when
      pushing many refs.
    * fast-import: avoid segfault when trying to clear root tree.
    * index-pack: reliably detect and error out when encountering
      duplicate delta base.
    * gc: do not prune objects only reachable from HEAD .
    * fsck: be more consistent about exiting nonzero for corruption.
    * am: tighten check for mbox 'From ' line.
    * daemon: fix error message when bind() fails.
    * mergetool: fix --output handling in meld >= 3.12 (see GNOME
      bug 737869).
    * gitweb: use start_form instead of startform for compatibility
      with CGI.pm 4.04 and newer (thx Roland Mas; closes: #765525).
    * pack-objects: do not write invalid bitmaps when hitting pack
      size limit.

git (1:2.1.1-1) unstable; urgency=low

  * new upstream point release.

git (1:2.1.0-1) unstable; urgency=low

  * new upstream release (see RelNotes/2.1.0.txt).

git (1:2.1.0~rc1-1) unstable; urgency=low

  * new upstream release candidate.

git (1:2.0.1-1) unstable; urgency=low

  * new upstream point release.

git (1:2.0.0-2) unstable; urgency=low

  * debian/rules: drop obsolete THREADED_DELTA_SEARCH setting.
  * debian/rules: add SANE_TOOL_PATH= INSTALL=install TAR=tar to
    OPTS to fix the Dyson build (thx Игорь Пашев; closes:
    #734097).
  * debian/rules: remove NO_PYTHON=1 now that the git_remote_helpers
    library has been removed.
  * debian/rules: remove git-p4 and its documentation from the git,
    git-man, and git-doc packages.  It depends on Perforce, which is
    not part of Debian.

git (1:2.0.0-1) unstable; urgency=low

  * new upstream release (see RelNotes/2.0.0.txt).

git (1:2.0.0~rc4-1) unstable; urgency=low

  * new upstream release candidate.
  * remove source-highlight build dependency since the markup
    requiring it was removed upstream (thx Anders Kaserog;
    LP: #1316810).
  * remove git-bzr package to make room for a package built from
    https://github.com/felipec/git-remote-bzr.
    * debian/control: remove references to git-bzr package.
    * debian/control: remove Build-Depends: bzr, python-bzrlib.
    * debian/rules: remove rules to build, install, and clean
      git-remote-bzr.
    * debian/git-doc.docs: do not install git-remote-bzr.html.
    * debian/git-remote-bzr.txt, debian/git-bzr.postinst,
      debian/git-bzr.prerm, debian/git-bzr.README.Debian: remove.

git (1:2.0.0~rc2-1) unstable; urgency=low

  * new upstream release candidate.

git (1:2.0.0~rc0-2) unstable; urgency=low

  [ Anders Kaseorg ]
  * add source-highlight build dependency (closes: #745591).

git (1:2.0.0~rc0-1) unstable; urgency=low

  * new upstream release candidate.
  * debian/diff/0009-contrib-subtree-unset-prefix-before-....diff:
    remove; applied upstream.
  * update debian/copyright.

git (1:1.9.2-1) unstable; urgency=low

  * new upstream point release.
    * wt-status: subject full label string to l10n (thx Raphaël
      Hertzog; closes: #725777).

 -- Colin Watson <email address hidden>  Thu, 15 Nov 2018 14:39:29 +0000

Available diffs

Builds

Built packages

Package files