Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package git for openSUSE:Factory checked in at 2022-11-08 10:53:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/git (Old) and /work/SRC/openSUSE:Factory/.git.new.1597 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "git" Tue Nov 8 10:53:08 2022 rev:290 rq:1032894 version:2.38.1 Changes: -------- --- /work/SRC/openSUSE:Factory/git/git.changes 2022-10-10 18:43:52.974780884 +0200 +++ /work/SRC/openSUSE:Factory/.git.new.1597/git.changes 2022-11-08 10:53:10.957324616 +0100 @@ -1,0 +2,30 @@ +Tue Nov 1 20:55:50 UTC 2022 - Andreas Stieger <[email protected]> + +- disable tests on s390x (check-chainlint) + +------------------------------------------------------------------- +Wed Oct 26 19:57:18 UTC 2022 - Dirk M??ller <[email protected]> + +- update to 2.38.1 (bsc#1204455, CVE-2022-39253, bsc#1204456, CVE-2022-39260): + * CVE-2022-39253: + When relying on the `--local` clone optimization, Git dereferences + symbolic links in the source repository before creating hardlinks + (or copies) of the dereferenced link in the destination repository. + This can lead to surprising behavior where arbitrary files are + present in a repository's `$GIT_DIR` when cloning from a malicious + repository. + Git will no longer dereference symbolic links via the `--local` + clone mechanism, and will instead refuse to clone repositories that + have symbolic links present in the `$GIT_DIR/objects` directory. + Additionally, the value of `protocol.file.allow` is changed to be + "user" by default. + * CVE-2022-39260: + An overly-long command string given to `git shell` can result in + overflow in `split_cmdline()`, leading to arbitrary heap writes and + remote code execution when `git shell` is exposed and the directory + `$HOME/git-shell-commands` exists. + `git shell` is taught to refuse interactive commands that are + longer than 4MiB in size. `split_cmdline()` is hardened to reject + inputs larger than 2GiB. + +------------------------------------------------------------------- Old: ---- git-2.38.0.tar.sign git-2.38.0.tar.xz New: ---- git-2.38.1.tar.sign git-2.38.1.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ git.spec ++++++ --- /var/tmp/diff_new_pack.sZT6Q3/_old 2022-11-08 10:53:12.053331138 +0100 +++ /var/tmp/diff_new_pack.sZT6Q3/_new 2022-11-08 10:53:12.057331162 +0100 @@ -36,7 +36,7 @@ %bcond_with asciidoctor %endif Name: git -Version: 2.38.0 +Version: 2.38.1 Release: 0 Summary: Fast, scalable, distributed revision control system License: GPL-2.0-only @@ -460,7 +460,10 @@ %fdupes -s %{buildroot} %check +# https://public-inbox.org/git/[email protected]/ +%ifnarch s390x ./.make %{?_smp_mflags} test +%endif %if 0%{?suse_version} >= 1500 %pre daemon -f git-daemon.pre ++++++ git-2.38.0.tar.xz -> git-2.38.1.tar.xz ++++++ /work/SRC/openSUSE:Factory/git/git-2.38.0.tar.xz /work/SRC/openSUSE:Factory/.git.new.1597/git-2.38.1.tar.xz differ: char 15, line 1
