Accepting request 1311991 from devel:tools:scm

Forwarded request #1311990 from darix

add bugnumber

OBS-URL: https://build.opensuse.org/request/show/1311991
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/git-lfs?expand=0&rev=21

_service

@@ -3,7 +3,7 @@
     <param name="url">https://github.com/git-lfs/git-lfs</param>
     <param name="scm">git</param>
     <param name="exclude">.git</param>
-    <param name="revision">v3.6.1</param>
+    <param name="revision">v3.7.1</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">disable</param>
     <param name="versionrewrite-pattern">v(.*)</param>

git-lfs-3.6.1.obscpio

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:07feac233837dc4b5a67f70223a26edf7fdc81f34c7936fe8774bb6fab310ec1
-size 3164172

git-lfs-3.7.1.obscpio

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c76b06c849eac62eb7f1ba1bc80fddbb99dbde81f70f6ab267758243ea9535b7
+size 3248140

git-lfs.changes

@@ -1,3 +1,127 @@
+-------------------------------------------------------------------
+Fri Oct 17 08:10:35 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
+
+- update to 3.7.1: (boo#1252259 CVE-2025-26625)
+  This release introduces security fixes for Linux, macOS, and
+  Windows systems, which have been collectively assigned
+  CVE-2025-26625.
+  When populating a Git repository's working tree with the contents
+  of Git LFS objects, certain Git LFS commands may write to files
+  visible outside the current Git working tree if symbolic or hard
+  links exist which collide with the paths of files tracked by Git
+  LFS.
+  Git LFS has resolved this problem by revising the git lfs
+  checkout and git lfs pull commands so that they check for
+  symbolic links in the same manner as performed by Git before
+  writing to files in the working tree.  These commands now also
+  remove existing files in the working tree before writing new
+  files in their place.
+  As well, Git LFS has resolved a problem whereby the git lfs
+  checkout and git lfs pull commands, when run in a bare
+  repository, could write to files visible outside the repository.
+  While a specific and relatively unlikely set of conditions were
+  required for this to occur, it is no longer possible under any
+  circumstances.
+  We would like to extend a special thanks to the following
+  open-source contributors:
+    Apple Product Security for reporting this to us responsibly
+  * Bugs
+    - Detect symbolic links on checkout and pull (@chrisd8088)
+  * Misc
+    - Upgrade to Go 1.25 (@chrisd8088)
+
+-------------------------------------------------------------------
+Fri Jun 27 10:12:13 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
+
+- update to 3.7.0
+  This release is a feature release which introduces several new options
+  for fetching Git LFS objects, such as the ability to force objects
+  to be re-downloaded and the capacity to output object URLs and HTTP
+  metadata in JSON for external tools to consume. This release also
+  adds a configurable in-memory cache of file path pattern matches,
+  which along with other changes can help reduce the time required to
+  migrate large repositories to Git LFS.
+
+  Git LFS now supports the same .netrc files on Windows as Git and
+  curl, retries appropriately after all 429 status code HTTP
+  responses, permits the use of symbolic links to Git's object
+  storage during Git LFS migrations
+
+  - Features
+    - Cache a file path filter match result #6047 (@alexkad0)
+    - Add --refetch option to fetch #5975 (@redsun82)
+    - Add --json option to fetch #5974 (@redsun82)
+    - Add --dry-run option to fetch #5973 (@redsun82)
+  - Bugs
+    - Verify TLS/SSL certificates using default Go support for
+      macOS system root CAs #6049 (@chrisd8088)
+    - Prefer .netrc on windows if present #6055 (@johanvdw)
+    - Fix migrations where .git/objects is a symlink #6042
+      (@bk2204)
+    - Honour 429 object transfer response Retry-After headers #6014
+      (@chrisd8088)
+  - Misc
+    - Update Linux distribution package list for v3.7.0 release
+      (@chrisd8088)
+    - Report missing objects consistently when pushing #6027
+      (@chrisd8088)
+    - Use a git-update-ref script to update references #6048
+      (@alexkad0)
+    - Drop unused generic stub function for cloning files #6050
+      (@chrisd8088)
+    - Prevent conflicting curl macros in early Git version CI jobs
+      #6040 (@chrisd8088)
+    - pull: improve error message on failing checkout #5629
+      (@bk2204)
+    - Fix language in code snippets in API docs #6035
+      (@slonopotamus)
+    - build(deps): bump golang.org/x/net from 0.36.0 to 0.38.0
+      #6034 (@dependabot[bot])
+    - Use single-target Makefile patterns for manual pages #6032
+      (@chrisd8088)
+    - use direct value nil for error #6024 (@alingse)
+    - Update minimum required Git version checks #6028
+      (@chrisd8088)
+    - build(deps): bump golang.org/x/net from 0.33.0 to 0.36.0
+      #6012 (@dependabot[bot])
+    - Upgrading x/crypto to v0.35.0 to solve CVE-2025-22869 #5997
+      (@gergelyfabian)
+    - Upgrade to Go 1.24 #6013 (@chrisd8088)
+    - Use constant format strings and fix HTTP error messages #5998
+      (@chrisd8088)
+    - Remove command name prefixes from progress messages #5995
+      (@chrisd8088)
+    - doc: Add missing "--to" argument in git-lfs-checkout example
+      #6005 (@DarkDefender)
+    - Replace min/max helpers with built-in min/max #5999
+      (@Juneezee)
+    - Add security patch release process documentation #5987
+      (@chrisd8088)
+    - Replace unused debug mode with trace logging #5989
+      (@chrisd8088)
+    - Use default Ruby provided by Actions runners #5984
+      (@chrisd8088)
+    - build(deps): bump azure/trusted-signing-action from 0.5.0 to
+      0.5.1 #5981 (@dependabot[bot])
+    - Update workflows to use ARM runners and new Apple signing
+      certificate #5977 (@chrisd8088)
+    - docs/man/git-lfs-prune.adoc: fix --(no-)verify-unreachable
+      description #5959 (@m3ka24)
+    - docs/man/git-lfs-migrate.adoc: remove duplicate flag #5944
+      (@fedirz)
+    - Upgrade golang.org/x/net from 0.23.0 to 0.33.0 #5940
+      (@gergelyfabian)
+    - build(deps): bump golang.org/x/crypto from 0.21.0 to 0.31.0
+      #5935 (@dependabot[bot])
+    - Simplify macOS CI jobs and specify Go toolchain version #5931
+      (@chrisd8088)
+    - Tighten security of Actions workflows #5930 (@bk2204)
+    - Corrected Pop!_OS naming #5929 (@LucasDondo)
+    - Update release process documentation and scripts #5920
+      (@chrisd8088)
+    - Update license copyright dates and minimum supported Git
+      version #5921 (@chrisd8088)
+
 -------------------------------------------------------------------
 Wed Jan 15 07:00:27 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
 

git-lfs.obsinfo

@@ -1,4 +1,4 @@
 name: git-lfs
-version: 3.6.1
-mtime: 1733271867
-commit: ea47a34bde1ba1ecf9eb8dc6d44fcf7aef42f5e3
+version: 3.7.1
+mtime: 1760655403
+commit: b84b33847fe6458f36ef521534dc0eac953cb379

git-lfs.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package git-lfs
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -22,7 +22,7 @@
 %bcond_without    build_docs
 
 Name:           git-lfs
-Version:        3.6.1
+Version:        3.7.1
 Release:        0
 Summary:        Git extension for versioning large files
 License:        MIT
@@ -35,7 +35,7 @@ BuildRequires:  fdupes
 BuildRequires:  git-core >= 1.8.2
 BuildRequires:  golang-packaging
 BuildRequires:  which
-BuildRequires:  golang(API) >= 1.18
+BuildRequires:  golang(API) >= 1.25
 Requires:       git-core >= 1.8.2
 Requires(post): git-core >= 1.8.2
 Requires(preun): git-core >= 1.8.2

vendor.tar.xz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:e03a18e537aa394644eac1e38336dd070a6304b41e41cc18d9a7db97735de808
-size 1257200
+oid sha256:accf9992fbddc2e543baadad33f0a704bb6b40427aee16d826cdf0347866343b
+size 1300484