summaryrefslogtreecommitdiff
path: root/devel/git/Makefile.version
diff options
context:
space:
mode:
authorleot <leot@pkgsrc.org>2019-12-10 18:32:38 +0000
committerleot <leot@pkgsrc.org>2019-12-10 18:32:38 +0000
commit7880d88f57e329b2f47fb41232e8955e4faa66aa (patch)
treee42d950315ce9387aee2d29c76e1b4599faf8943 /devel/git/Makefile.version
parent5c78d1961a640a2372d25537cc2ab5ad0f9897b2 (diff)
downloadpkgsrc-7880d88f57e329b2f47fb41232e8955e4faa66aa.tar.gz
git: Update to 2.24.1
Changes: 2.24.1 ====== This release merges up the fixes that appear in v2.14.6, v2.15.4, v2.17.3, v2.20.2 and in v2.21.1, addressing the security issues CVE-2019-1348, CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, CVE-2019-1353, CVE-2019-1354, CVE-2019-1387, and CVE-2019-19604. * CVE-2019-1348: The --export-marks option of git fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths. * CVE-2019-1349: When submodules are cloned recursively, under certain circumstances Git could be fooled into using the same Git directory twice. We now require the directory to be empty. * CVE-2019-1350: Incorrect quoting of command-line arguments allowed remote code execution during a recursive clone in conjunction with SSH URLs. * CVE-2019-1351: While the only permitted drive letters for physical drives on Windows are letters of the US-English alphabet, this restriction does not apply to virtual drives assigned via subst <letter>: <path>. Git mistook such paths for relative paths, allowing writing outside of the worktree while cloning. * CVE-2019-1352: Git was unaware of NTFS Alternate Data Streams, allowing files inside the .git/ directory to be overwritten during a clone. * CVE-2019-1353: When running Git in the Windows Subsystem for Linux (also known as "WSL") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active. * CVE-2019-1354: Filenames on Linux/Unix can contain backslashes. On Windows, backslashes are directory separators. Git did not use to refuse to write out tracked files with such filenames. * CVE-2019-1387: Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones. Credit for finding these vulnerabilities goes to Microsoft Security Response Center, in particular to Nicolas Joly. The `fast-import` fixes were provided by Jeff King, the other fixes by Johannes Schindelin with help from Garima Singh. * CVE-2019-19604: The change to disallow `submodule.<name>.update=!command` entries in `.gitmodules` which was introduced v2.15.4 (and for which v2.17.3 added explicit fsck checks) fixes the vulnerability in v2.20.x where a recursive clone followed by a submodule update could execute code contained within the repository without the user explicitly having asked for that. Credit for finding this vulnerability goes to Joern Schneeweisz, credit for the fixes goes to Jonathan Nieder.
Diffstat (limited to 'devel/git/Makefile.version')
-rw-r--r--devel/git/Makefile.version4
1 files changed, 2 insertions, 2 deletions
diff --git a/devel/git/Makefile.version b/devel/git/Makefile.version
index d5d14f58c0a..09b2670c5c9 100644
--- a/devel/git/Makefile.version
+++ b/devel/git/Makefile.version
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile.version,v 1.81 2019/11/08 12:24:31 adam Exp $
+# $NetBSD: Makefile.version,v 1.82 2019/12/10 18:32:38 leot Exp $
#
# used by devel/git/Makefile.common
# used by devel/git-cvs/Makefile
# used by devel/git-svn/Makefile
-GIT_VERSION= 2.24.0
+GIT_VERSION= 2.24.1