diff --git a/git-2.38.0.tar.sign b/git-2.38.0.tar.sign deleted file mode 100644 index 7893197..0000000 Binary files a/git-2.38.0.tar.sign and /dev/null differ diff --git a/git-2.38.0.tar.xz b/git-2.38.0.tar.xz deleted file mode 100644 index 0cff166..0000000 --- a/git-2.38.0.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:923eade26b1814de78d06bda8e0a9f5da8b7c4b304b3f9050ffb464f0310320a -size 7086664 diff --git a/git-2.38.1.tar.sign b/git-2.38.1.tar.sign new file mode 100644 index 0000000..e9bde09 Binary files /dev/null and b/git-2.38.1.tar.sign differ diff --git a/git-2.38.1.tar.xz b/git-2.38.1.tar.xz new file mode 100644 index 0000000..45426ec --- /dev/null +++ b/git-2.38.1.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:97ddf8ea58a2b9e0fbc2508e245028ca75911bd38d1551616b148c1aa5740ad9 +size 7088208 diff --git a/git.changes b/git.changes index f1b0dac..917d2b6 100644 --- a/git.changes +++ b/git.changes @@ -1,3 +1,33 @@ +------------------------------------------------------------------- +Tue Nov 1 20:55:50 UTC 2022 - Andreas Stieger + +- disable tests on s390x (check-chainlint) + +------------------------------------------------------------------- +Wed Oct 26 19:57:18 UTC 2022 - Dirk Müller + +- update to 2.38.1 (bsc#1204455, CVE-2022-39253, bsc#1204456, CVE-2022-39260): + * CVE-2022-39253: + When relying on the `--local` clone optimization, Git dereferences + symbolic links in the source repository before creating hardlinks + (or copies) of the dereferenced link in the destination repository. + This can lead to surprising behavior where arbitrary files are + present in a repository's `$GIT_DIR` when cloning from a malicious + repository. + Git will no longer dereference symbolic links via the `--local` + clone mechanism, and will instead refuse to clone repositories that + have symbolic links present in the `$GIT_DIR/objects` directory. + Additionally, the value of `protocol.file.allow` is changed to be + "user" by default. + * CVE-2022-39260: + An overly-long command string given to `git shell` can result in + overflow in `split_cmdline()`, leading to arbitrary heap writes and + remote code execution when `git shell` is exposed and the directory + `$HOME/git-shell-commands` exists. + `git shell` is taught to refuse interactive commands that are + longer than 4MiB in size. `split_cmdline()` is hardened to reject + inputs larger than 2GiB. + ------------------------------------------------------------------- Thu Oct 6 19:29:30 UTC 2022 - Andreas Stieger diff --git a/git.spec b/git.spec index a8fcc37..8ed98ee 100644 --- a/git.spec +++ b/git.spec @@ -36,7 +36,7 @@ %bcond_with asciidoctor %endif Name: git -Version: 2.38.0 +Version: 2.38.1 Release: 0 Summary: Fast, scalable, distributed revision control system License: GPL-2.0-only @@ -460,7 +460,10 @@ cat %{name}.lang >>bin-man-doc-files %fdupes -s %{buildroot} %check +# https://public-inbox.org/git/f1a5f758-d81f-5985-9b5d-2f0dbfaac071@opensuse.org/ +%ifnarch s390x ./.make %{?_smp_mflags} test +%endif %if 0%{?suse_version} >= 1500 %pre daemon -f git-daemon.pre