Hello community, here is the log from the commit of package git.1368 for openSUSE:12.1:Update checked in at 2013-03-01 21:52:12 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.1:Update/git.1368 (Old) and /work/SRC/openSUSE:12.1:Update/.git.1368.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "git.1368", Maintainer is "" Changes: -------- New Changes file: --- /dev/null 2013-02-26 18:15:11.936010755 +0100 +++ /work/SRC/openSUSE:12.1:Update/.git.1368.new/git.changes 2013-03-01 21:52:15.000000000 +0100 @@ -0,0 +1,1039 @@ +------------------------------------------------------------------- +Wed Feb 20 17:21:40 CET 2013 - ti...@suse.de + +- Fix VUL-1: missing SSL host verification in git-imap-send + (CVE-2013-0308, bnc#804730) + +------------------------------------------------------------------- +Mon Oct 17 11:44:29 UTC 2011 - cfarr...@suse.com + +- license update: GPL-2.0 + SPDX format (See http://www.spdx.org/licenses) + +------------------------------------------------------------------- +Mon Oct 17 11:47:26 CEST 2011 - ti...@suse.de + +- correct license tag to "GPL v2 only" (bnc#724499) + +------------------------------------------------------------------- +Fri Oct 14 10:16:24 CEST 2011 - ti...@suse.de + +- split cgit builds to an individual repo + +------------------------------------------------------------------- +Tue Oct 4 20:20:00 CEST 2011 - ti...@suse.de + +- updated to 1.7.7: major update from 1.7.6.x, including i18n/l10n + prepartion, updates of git-p4, gitweb, improved coloring, + various updates of git-am, git-bisect, git-cherck-attr, etc. + See Documentation/RelNotes/1.7.7.txt for details. + +------------------------------------------------------------------- +Mon Sep 26 12:55:36 CEST 2011 - ti...@suse.de + +- updated to 1.7.6.4: minor bug fixes for git-am, git-branch, + git-clone, etc + See Documentation/RelNotes/1.7.6.4.txt for details. + +------------------------------------------------------------------- +Wed Sep 21 08:43:35 CEST 2011 - ti...@suse.de + +- updated to 1.7.6.2, 1.7.6.3: minor bug fix releases + git-fetch performance fix, other fixes in git-reflog, reset, + status, tag + See Documentation/RelNotes/1.7.6.[23].txt for details. + +------------------------------------------------------------------- +Thu Aug 25 12:15:47 CEST 2011 - ti...@suse.de + +- updated to 1.7.6.1: bug fix release; many fixes for e.g. git + checkout, git diff, git fetch, etc. + See Documentation/RelNotes/1.7.6.1.txt for details. + +------------------------------------------------------------------- +Wed Jun 29 17:38:24 CEST 2011 - ti...@suse.de + +- Add SuSEfirewall profile for git-daemon (bnc#628048) + +------------------------------------------------------------------- +Mon Jun 27 18:15:30 CEST 2011 - ti...@suse.de + +- update to 1.7.6: major update from 1.7.5.x + * Similar to branch names, tagnames that begin with "-" are now + disallowed. + * Simpler handling of a large file depending on core.bigfilethreshold + value + * A magic pathspec ":/" handling + * Some new options and improvements in git-blame, git-commit, git-diff + git-grep, git-format-patch, git-merge, git-svn, etc + * More prepartaion for i18n/l10n. + See Documentation/RelNotes/1.7.6.txt for details. + +------------------------------------------------------------------- +Fri Jun 24 11:36:31 CEST 2011 - ti...@suse.de + +- fix html path (bnc#675392) + +------------------------------------------------------------------- +Fri Jun 17 11:53:21 CEST 2011 - ti...@suse.de + +- Fix VUL-1: git-web xss (CVE-2011-2186, bnc#698456) + +------------------------------------------------------------------- +Mon Jun 6 16:02:12 CEST 2011 - ti...@suse.de + +- updated to 1.7.5.4: maintainance update, fixing in git-add -p + option, git diff -C option, and git-rerere merge error fix, etc + +------------------------------------------------------------------- +Fri May 27 11:43:23 CEST 2011 - ti...@suse.de + +- updated to 1.7.5.x: maintenance update release, see + Documentation/RelNotes/1.7.5.3.txt + Documentation/RelNotes/1.7.5.2.txt + Documentation/RelNotes/1.7.5.1.txt +- updated to 1.7.5: major version update + * Various vcs-svn, git-svn and gitk enhancements and fixes. + * Various git-gui updates (0.14.0). + * Improved bash completion script + * "git repo-config" is officially deprecated + * "git checkout" performed on detached HEAD gives a warning + * "git cherry-pick" and "git revert" can have a custom merge strategy + * "git cherry-pick" remembers which commit failed to apply when it is + stopped by conflicts + * "git cvsimport" bails out immediately when cvs server is unreachable + * "git fetch" vs "git upload-pack" transfer learned 'no-done' protocol + extension + * "git fetch" can be told to recursively fetch submodules on-demand + * "git grep -f <filename>" learned to treat "-" + * "git init" learned the --separate-git-dir option + * "git log" type commands now understand globbing pathspecs + * "git log" family of commands learned --cherry and --cherry-mark options + * "git mergetool" learned how to drive "beyond compare 3" as well + * "git rerere forget" semantic changes + * "git push" with no parameters gives better advice messages + * a new "git rerere" subcommand "remaining" + See more details in Documentation/RelNotes/1.7.5.txt + +------------------------------------------------------------------- +Mon Mar 28 18:18:54 CEST 2011 - ti...@suse.de + +- updated to 1.7.4.2: + * documentation updates, small bug fixes; + see included Documentation/RelNotes/1.7.4.2.txt + +------------------------------------------------------------------- +Thu Feb 24 17:42:33 CET 2011 - dmuel...@suse.de + +- update to 1.7.4.1: + * major version update, see included Documentation/RelNotes/1.7.4.txt + +------------------------------------------------------------------- +Tue Feb 15 17:28:12 UTC 2011 - ch...@computersalat.de + +- mod apache config + o remove ending "/" from alias (Alias /git "/usr/share/gitweb/") + +------------------------------------------------------------------- +Fri Dec 17 17:51:32 CET 2010 - ti...@suse.de + +- updated to git 1.7.3.3: + In addition to the usual fixes, this release also includes + support for the new "add.ignoreErrors" name given to the + existing "add.ignore-errors" configuration variable. +- updated to git 1.7.3.4: + Among many fixes since v1.7.3.3, it contains a fix to a recently + discovered XSS vulnerability in Gitweb (CVE 2010-3906) + +------------------------------------------------------------------- +Mon Dec 13 09:01:59 UTC 2010 - co...@novell.com + +- fix file list for perl module on factory + +------------------------------------------------------------------- +Wed Dec 1 23:45:44 CET 2010 - dmuel...@suse.de + +- update to git 1.7.3.2: + This is primarily to push out many documentation fixes + accumulated since the 1.7.3.1 release. + +------------------------------------------------------------------- +Thu Sep 30 08:21:27 CEST 2010 - ti...@suse.de + +- updated to git 1.7.3: + major version update; new options and behavior for git-rebase, + git-clean, git-checkout, git-gui. + See release note: + http://www.kernel.org/pub/software/scm/git/docs/RelNotes-1.7.3.txt +- updated to git 1.7.3.1: + fix git-stash breakages +- Set NO_CROSS_DIRECTORY_HARDLINKS=1 to satisfy BS + +------------------------------------------------------------------- +Fri Aug 20 09:54:04 CEST 2010 - ti...@suse.de + +- updated to git 1.7.2.2: + This is primarily for fixing a hanging bug in the smart http + transport, but also comes with a lot of documentation udpates. + See release note: + http://www.kernel.org/pub/software/scm/git/docs/RelNotes-1.7.2.2.txt + +------------------------------------------------------------------- +Thu Jul 29 13:43:28 CEST 2010 - ti...@suse.de + +- updated to git 1.7.2.1: minor fixes for git-instaweb, git-web, + git-config. See release note: + http://www.kernel.org/pub/software/scm/git/docs/RelNotes-1.7.2.1.txt + +------------------------------------------------------------------- +Thu Jul 22 12:19:02 CEST 2010 - ti...@suse.de + +- updated to git 1.7.2: mostly bug fixes and small enhancements; + see the release note: + http://www.kernel.org/pub/software/scm/git/docs/RelNotes-1.7.2.txt +- gitweb stuff is moved to /usr/share/gitweb + +------------------------------------------------------------------- +Tue Jun 1 02:56:35 CEST 2010 - pbau...@suse.cz ++++ 842 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.1:Update/.git.1368.new/git.changes New: ---- apache2-gitweb.conf completion-wordbreaks.diff git-1.7.7.tar.gz git-CVE-2013-0308-imap-send-move-ifdef-around.patch git-CVE-2013-0308-imap-send-support-subjectAltName-as-well.patch git-CVE-2013-0308-imap-sslchecks.patch git-daemon.init git-nohardlink.diff git-prevent_xss-default.diff git-python-install-fix.diff git.changes git.spec git.xinetd susefirewall-git-daemon sysconfig.git-daemon usr.share.git-web.gitweb.cgi ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ git.spec ++++++ # # spec file for package git # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # %define gitexecdir %_libexecdir/git %define _fwdefdir /etc/sysconfig/SuSEfirewall2.d/services Name: git %if 0%{?suse_version} < 1030 %define dist_has_fdupes 0 %else %define dist_has_fdupes 1 %endif BuildRequires: asciidoc BuildRequires: curl BuildRequires: libcurl-devel BuildRequires: libexpat-devel %if %{dist_has_fdupes} BuildRequires: fdupes %endif %if 0%{?suse_version} < 1030 BuildRequires: openssl-devel %else BuildRequires: libopenssl-devel %endif BuildRequires: perl-Error BuildRequires: python BuildRequires: sgml-skel BuildRequires: xmlto Version: 1.7.7 Release: 0 Summary: Fast, scalable, distributed revision control system License: GPL-2.0 Group: Development/Tools/Version Control Url: http://git-scm.com # Source0: http://kernel.org/pub/software/scm/git/%name-%{version}.tar.bz2 Source0: %name-%{version}.tar.gz Source1: apache2-gitweb.conf Source2: sysconfig.git-daemon Source3: git-daemon.init Source4: git.xinetd Source5: usr.share.git-web.gitweb.cgi Source6: susefirewall-git-daemon Patch1: git-nohardlink.diff Patch2: git-python-install-fix.diff Patch3: completion-wordbreaks.diff # CVE-2011-2186, bnc#698456 Patch4: git-prevent_xss-default.diff # CVE-2013-0308, bnc#804730 Patch5: git-CVE-2013-0308-imap-send-move-ifdef-around.patch Patch6: git-CVE-2013-0308-imap-sslchecks.patch Patch7: git-CVE-2013-0308-imap-send-support-subjectAltName-as-well.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build Requires: git-core = %{version} Recommends: git-svn git-cvs git-email gitk git-gui git-web Suggests: git-daemon %description Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. This package itself only provides the README of git but with the packages it requires, it brings you a complete Git environment including GTK and email interfaces and tools for importing source code repositories from other revision control systems such as subversion, CVS, and GNU arch. Authors: -------- Linus Torvalds <torva...@osdl.org> %package core Summary: Core git tools License: GPL-2.0 Group: Development/Tools/Version Control Requires: less Requires: openssh Requires: perl-Error Requires: perl-base = %{perl_version} Requires: rsync %description core Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. These are the core tools with minimal dependencies. Authors: -------- Linus Torvalds <torva...@osdl.org> Junio C Hamano <jun...@cox.net> %package svn Summary: Git tools for importing Subversion repositories License: GPL-2.Ã0 Group: Development/Tools/Version Control Requires: git-core = %{version} Requires: subversion Requires: subversion-perl %description svn Tools for importing Subversion repositories to the Git version control system. Authors: -------- Linus Torvalds <torva...@osdl.org> Junio C Hamano <jun...@cox.net> %package cvs Summary: Git tools for importing CVS repositories License: GPL-2.Ã0 Group: Development/Tools/Version Control Requires: cvs Requires: cvsps Requires: git-core = %{version} Requires: perl-DBD-SQLite %description cvs Tools for importing CVS repositories to the Git version control system. Authors: -------- Linus Torvalds <torva...@osdl.org> Junio C Hamano <jun...@cox.net> %package arch Summary: Git tools for importing Arch repositories License: GPL-2.0 Group: Development/Tools/Version Control Requires: git-core = %{version} # Requires: tla %description arch Tools for importing GNU Arch repositories to the GIT version control system. Authors: -------- Linus Torvalds <torva...@osdl.org> Junio C Hamano <jun...@cox.net> %package email Summary: Git tools for sending email License: GPL-2.Ã0 Group: Development/Tools/Version Control Requires: git-core = %{version} # For sending mails over secure SMTP: Recommends: perl-Net-SMTP-SSL, perl-Authen-SASL %description email Email interface for the GIT version control system. Authors: -------- Linus Torvalds <torva...@osdl.org> Junio C Hamano <jun...@cox.net> %package daemon Summary: Simple Server for Git Repositories License: GPL-2.0 Group: Development/Tools/Version Control Requires: git-core = %{version} PreReq: /usr/sbin/useradd %fillup_prereq %insserv_prereq %description daemon A really simple TCP git daemon. In the default configuration it allows read only access to repositories in /srv/git/ that contain the 'git-daemon-export-ok' file. Authors: -------- Linus Torvalds <torva...@osdl.org> %package -n gitk Summary: Git revision tree visualiser License: GPL-2.0 Group: Development/Tools/Version Control Requires: git-core = %{version} Requires: tk >= 8.4 Supplements: packageand(git-core:tk) %description -n gitk Grapical tool for visualization of revision trees of projects maintained in the Git version control system. It name gitk indicates that it's written using the Tk Widget set. A simple Tk based graphical interface for common Git operations is found in the package git-gui. Authors: -------- Linus Torvalds <torva...@osdl.org> Junio C Hamano <jun...@cox.net> %package gui Summary: Grapical tool for common git operations License: GPL-2.0 Group: Development/Tools/Version Control Requires: git-core = %{version} Requires: tk >= 8.4 Supplements: packageand(git-core:tk) %description gui A Tcl/Tk based graphical user interface to Git. git-gui focuses on allowing users to make changes to their repository by making new commits, amending existing ones, creating branches, performing local merges, and fetching/pushing to remote repositories. Unlike gitk, git-gui focuses on commit generation and single file annotation, and does not show project history. It does however supply menu actions to start a gitk session from within git-gui. Authors: -------- Linus Torvalds <torva...@osdl.org> %package web Summary: Git Web Interface License: GPL-2.0 Group: Development/Tools/Version Control Requires: git-core = %{version} Supplements: packageand(git-core:apache2) %description web CGI script that allows browsing git repositories via web interface. The apache2 configuration contained in this package installs a virtual directory /git/ that calls the cgi script. Authors: -------- Linus Torvalds <torva...@osdl.org> %package remote-helpers Summary: Python package for remote helper scripts License: GPL-2.0 Group: Development/Tools/Version Control Requires: git-core = %{version} Requires: python %description remote-helpers This package contains the building blocks for remote helpers written in Python. %prep %setup -q %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 %build cat > .make <<'EOF' #!/bin/bash make %{_smp_mflags} CFLAGS="$RPM_OPT_FLAGS" \ GITWEB_CONFIG="/etc/gitweb.conf" \ GITWEB_PROJECTROOT="/srv/git" \ WITH_OWN_SUBPROCESS_PY=YesPlease \ DESTDIR=$RPM_BUILD_ROOT \ NO_CROSS_DIRECTORY_HARDLINKS=1 \ V=1 \ prefix=%{_prefix} mandir=%{_mandir} \ gitexecdir=%{gitexecdir} \ htmldir=%{_docdir}/git-core \ "$@" EOF # chmod 755 .make ./.make all %{?_smp_mflags} %{!?_without_docs: ./.make doc} %install ./.make install %{!?_without_docs: install-doc} ### git-web cp gitweb/INSTALL INSTALL.gitweb cp gitweb/README README.gitweb install -d ${RPM_BUILD_ROOT}/usr/share/git-web install -d ${RPM_BUILD_ROOT}/etc/apache2/conf.d install -m 644 %{SOURCE1} $RPM_BUILD_ROOT/etc/apache2/conf.d/gitweb.conf ### git-daemon install -d -m 755 $RPM_BUILD_ROOT/etc/init.d install -m 755 %{SOURCE3} $RPM_BUILD_ROOT/etc/init.d/git-daemon install -d -m 755 $RPM_BUILD_ROOT%{_sbindir} ln -s ../../etc/init.d/git-daemon $RPM_BUILD_ROOT%{_sbindir}/rcgit-daemon install -d -m 755 $RPM_BUILD_ROOT/var/adm/fillup-templates install -m 644 %{SOURCE2} $RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.git-daemon install -d -m 755 $RPM_BUILD_ROOT/srv/git install -d -m 755 $RPM_BUILD_ROOT/etc/xinetd.d install -m 644 %{S:4} $RPM_BUILD_ROOT/etc/xinetd.d/git mkdir -p $RPM_BUILD_ROOT/%{_fwdefdir} install -m 644 %{S:6} $RPM_BUILD_ROOT/%{_fwdefdir}/git-daemon ### (find $RPM_BUILD_ROOT%{_bindir} -type f | grep -vE "archimport|svn|cvs|email|gitk|daemon|gui" | sed -e s@^$RPM_BUILD_ROOT@@) > bin-man-doc-files (find $RPM_BUILD_ROOT%{gitexecdir} -mindepth 1 | grep -vE "archimport|svn|cvs|email|gitk|daemon|gui" | sed -e s@^$RPM_BUILD_ROOT@@) >> bin-man-doc-files (find $RPM_BUILD_ROOT%{_mandir} $RPM_BUILD_ROOT/Documentation -type f | grep -vE "archimport|svn|git-cvs|email|gitk|daemon|gui" | sed -e s@^$RPM_BUILD_ROOT@@ -e 's/$/*/' ) >> bin-man-doc-files ( pushd perl perl Makefile.PL make -f perl.mak DESTDIR=${RPM_BUILD_ROOT} install_vendor ) rm -rf ${RPM_BUILD_ROOT}/usr/lib/perl5/site_perl %perl_process_packlist find $RPM_BUILD_ROOT/%_mandir -type f -print0 | xargs -0 chmod 644 install -m 644 -D contrib/completion/git-completion.bash $RPM_BUILD_ROOT/etc/bash_completion.d/git.sh # # apparmor profile for git-web # install -d -m 755 $RPM_BUILD_ROOT/etc/apparmor.d install -m 644 %{SOURCE5} $RPM_BUILD_ROOT/etc/apparmor.d # %if %{dist_has_fdupes} # create predictable symlinks to make apparmor profile work for i in git git-upload-archive; do rm $RPM_BUILD_ROOT%{_bindir}/$i ln -s %{gitexecdir}/git-add $RPM_BUILD_ROOT%{_bindir}/$i done if ! test -f $RPM_BUILD_ROOT%{gitexecdir}/git-add; then echo "git-add is not a regular file, apparmor profile won't work!" >&2 exit 1 fi # use symlinks instead of hardlinks in sub-commands %fdupes -s $RPM_BUILD_ROOT %endif %clean rm -rf $RPM_BUILD_ROOT %pre daemon if ! /usr/bin/getent passwd git-daemon >/dev/null; then /usr/sbin/useradd -r -d /var/lib/empty -s /bin/false -c "git daemon" -g nogroup git-daemon || : fi %post daemon %{fillup_and_insserv -n git-daemon} %postun daemon %{insserv_cleanup} %preun daemon %stop_on_removal %files %defattr(-,root,root) %doc README %files svn %defattr(-,root,root) %{gitexecdir}/*svn* %doc Documentation/*svn*.txt %{!?_without_docs: %{_mandir}/man1/*svn*.1*} %{!?_without_docs: %doc Documentation/*svn*.html } %files cvs %defattr(-,root,root) %doc Documentation/*git-cvs*.txt %{_bindir}/git-cvs* %{gitexecdir}/*cvs* %{!?_without_docs: %{_mandir}/man1/*cvs*.1*} %{!?_without_docs: %doc Documentation/*git-cvs*.html } %files arch %defattr(-,root,root) %doc Documentation/git-archimport.txt %{gitexecdir}/git-archimport %{!?_without_docs: %{_mandir}/man1/git-archimport.1*} %{!?_without_docs: %doc Documentation/git-archimport.html } %files email %defattr(-,root,root) %doc Documentation/*email*.txt %{gitexecdir}/*email* %{!?_without_docs: %{_mandir}/man1/*email*.1*} %{!?_without_docs: %doc Documentation/*email*.html } %files daemon %defattr(-,root,root) %doc Documentation/*daemon*.txt %{gitexecdir}/*daemon* /etc/init.d/git-daemon %{_sbindir}/rcgit-daemon %dir /srv/git /var/adm/fillup-templates/sysconfig.git-daemon %{!?_without_docs: %{_mandir}/man1/*daemon*.1*} %{!?_without_docs: %doc Documentation/*daemon*.html } %config(noreplace) /etc/xinetd.d/git %config %{_fwdefdir}/* %files -n gitk %defattr(-,root,root) %doc Documentation/*gitk*.txt %{_bindir}/gitk /usr/share/gitk %{!?_without_docs: %{_mandir}/man1/*gitk*.1*} %{!?_without_docs: %doc Documentation/*gitk*.html } %files gui %defattr(-,root,root) %doc Documentation/*gui*.txt %{gitexecdir}/git-gui* /usr/share/git-gui %{!?_without_docs: %{_mandir}/man1/*gui*.1*} %{!?_without_docs: %doc Documentation/*gui*.html } %files web %defattr(-,root,root) %doc README.gitweb INSTALL.gitweb %dir /etc/apache2 %dir /etc/apache2/conf.d %config(noreplace) /etc/apache2/conf.d/gitweb.conf /usr/share/gitweb /etc/apparmor.d %files remote-helpers %defattr(-,root,root) %if %suse_version >= 1120 %python_sitelib/* %else %py_sitedir/* %endif %files core -f bin-man-doc-files %defattr(-,root,root) %{_bindir}/git %{_datadir}/git-core/ %dir %{gitexecdir} %doc README COPYING Documentation/*.txt %{!?_without_docs: %doc Documentation/*.html } %if 0%{?suse_version} < 1140 /var/adm/perl-modules/%{name} %endif %{perl_vendorlib}/Git.pm %{perl_vendorarch}/auto/Git/ /etc/bash_completion.d/git.sh %changelog ++++++ apache2-gitweb.conf ++++++ Alias /git "/usr/share/gitweb/" <Directory "/usr/share/gitweb"> Options ExecCGI AllowOverride None AddHandler cgi-script .cgi DirectoryIndex gitweb.cgi Order allow,deny Allow from all </Directory> ++++++ completion-wordbreaks.diff ++++++ --- contrib/completion/git-completion.bash | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) --- a/contrib/completion/git-completion.bash +++ b/contrib/completion/git-completion.bash @@ -77,10 +77,12 @@ autoload -U +X bashcompinit && bashcompinit fi -case "$COMP_WORDBREAKS" in -*:*) : great ;; -*) COMP_WORDBREAKS="$COMP_WORDBREAKS:" -esac +# SUSE-specific: We trust the system is consistent and do not let individual +# scripts play ping-pong with the global $COMP_WORDBREAKS value. +#case "$COMP_WORDBREAKS" in +#*:*) : great ;; +#*) COMP_WORDBREAKS="$COMP_WORDBREAKS:" +#esac # __gitdir accepts 0 or 1 arguments (i.e., location) # returns location of .git repo ++++++ git-CVE-2013-0308-imap-send-move-ifdef-around.patch ++++++ >From 41b978d2e07232c21a30a4b2f055afdd245b0ea5 Mon Sep 17 00:00:00 2001 From: Junio C Hamano <gits...@pobox.com> Date: Fri, 15 Feb 2013 12:32:19 -0800 Subject: [PATCH v3 1/3] imap-send: move #ifdef around Instead of adding an early return to the inside of the ssl_socket_connect() function for NO_OPENSSL compilation, split it into a separate stub function. No functional change, but the next change to extend ssl_socket_connect() will become easier to read this way. Signed-off-by: Junio C Hamano <gits...@pobox.com> --- imap-send.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) --- a/imap-send.c +++ b/imap-send.c @@ -266,12 +266,17 @@ static void socket_perror(const char *fu } } +#ifdef NO_OPENSSL static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int verify) { -#ifdef NO_OPENSSL fprintf(stderr, "SSL requested but SSL support not compiled in\n"); return -1; +} + #else + +static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int verify) +{ #if (OPENSSL_VERSION_NUMBER >= 0x10000000L) const SSL_METHOD *meth; #else @@ -323,8 +328,8 @@ static int ssl_socket_connect(struct ima } return 0; -#endif } +#endif static int socket_read(struct imap_socket *sock, char *buf, int len) { ++++++ git-CVE-2013-0308-imap-send-support-subjectAltName-as-well.patch ++++++ >From f6460f871e382edd62c3a8c6948158e7a9ecaf64 Mon Sep 17 00:00:00 2001 From: Oswald Buddenhagen <o...@kde.org> Date: Fri, 15 Feb 2013 12:59:53 -0800 Subject: [PATCH v3 3/3] imap-send: support subjectAltName as well Check not only the common name of the certificate subject, but also check the subject alternative DNS names as well, when verifying that the certificate matches that of the host we are trying to talk to. Signed-off-by: Oswald Buddenhagen <o...@kde.org> Signed-off-by: Junio C Hamano <gits...@pobox.com> --- imap-send.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) --- a/imap-send.c +++ b/imap-send.c @@ -31,6 +31,7 @@ typedef void *SSL; #else #include <openssl/evp.h> #include <openssl/hmac.h> +#include <openssl/x509v3.h> #endif struct store_conf { @@ -292,6 +293,24 @@ static int verify_hostname(X509 *cert, c int len; X509_NAME *subj; char cname[1000]; + int i, found; + STACK_OF(GENERAL_NAME) *subj_alt_names; + + /* try the DNS subjectAltNames */ + found = 0; + if ((subj_alt_names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL))) { + int num_subj_alt_names = sk_GENERAL_NAME_num(subj_alt_names); + for (i = 0; !found && i < num_subj_alt_names; i++) { + GENERAL_NAME *subj_alt_name = sk_GENERAL_NAME_value(subj_alt_names, i); + if (subj_alt_name->type == GEN_DNS && + strlen((const char *)subj_alt_name->d.ia5->data) == (size_t)subj_alt_name->d.ia5->length && + host_matches(hostname, (const char *)(subj_alt_name->d.ia5->data))) + found = 1; + } + sk_GENERAL_NAME_pop_free(subj_alt_names, GENERAL_NAME_free); + } + if (found) + return 0; /* try the common name */ if (!(subj = X509_get_subject_name(cert))) ++++++ git-CVE-2013-0308-imap-sslchecks.patch ++++++ Junio C Hamano <gits...@pobox.com> writes: > Kurt Seifried <kseifr...@redhat.com> writes: > ... >> You can post it to this list which will get it to vendors in advance >> and rolled into updates. > > It is a three-patch series attached. > ... The second patch should add the additional check inside an "if (verify)" conditional, as we allow imap.sslverify=false to disable the certificate check. Here is a replacement patch for that one. -- >8 -- From: Oswald Buddenhagen <o...@kde.org> Date: Fri, 15 Feb 2013 12:50:35 -0800 Subject: [PATCH 2/3] imap-send: the subject of SSL certificate must match the host We did not check a valid certificate's subject at all, and would have happily talked with a wrong host after connecting to an incorrect address and getting a valid certificate that does not belong to the host we intended to talk to. Signed-off-by: Oswald Buddenhagen <o...@kde.org> Signed-off-by: Junio C Hamano <gits...@pobox.com> --- imap-send.c | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) --- a/imap-send.c +++ b/imap-send.c @@ -275,6 +275,35 @@ static int ssl_socket_connect(struct ima #else +static int host_matches(const char *host, const char *pattern) +{ + if (pattern[0] == '*' && pattern[1] == '.') { + pattern += 2; + if (!(host = strchr(host, '.'))) + return 0; + host++; + } + + return *host && *pattern && !strcasecmp(host, pattern); +} + +static int verify_hostname(X509 *cert, const char *hostname) +{ + int len; + X509_NAME *subj; + char cname[1000]; + + /* try the common name */ + if (!(subj = X509_get_subject_name(cert))) + return error("cannot get certificate subject"); + if ((len = X509_NAME_get_text_by_NID(subj, NID_commonName, cname, sizeof(cname))) < 0) + return error("cannot get certificate common name"); + if (strlen(cname) == (size_t)len && host_matches(hostname, cname)) + return 0; + return error("certificate owner '%s' does not match hostname '%s'", + cname, hostname); +} + static int ssl_socket_connect(struct imap_socket *sock, int use_tls_only, int verify) { #if (OPENSSL_VERSION_NUMBER >= 0x10000000L) @@ -284,6 +313,7 @@ static int ssl_socket_connect(struct ima #endif SSL_CTX *ctx; int ret; + X509 *cert; SSL_library_init(); SSL_load_error_strings(); @@ -327,6 +357,15 @@ static int ssl_socket_connect(struct ima return -1; } + if (verify) { + /* make sure the hostname matches that of the certificate */ + cert = SSL_get_peer_certificate(sock->ssl); + if (!cert) + return error("unable to get peer certificate."); + if (verify_hostname(cert, server.host) < 0) + return -1; + } + return 0; } #endif ++++++ git-daemon.init ++++++ #!/bin/sh # # SUSE system startup script for git-daemon # Copyright (C) 1995-2008 SUSE / Novell Inc. # # This library is free software; you can redistribute it and/or modify it # under the terms of the GNU Lesser General Public License as published by # the Free Software Foundation; either version 2.1 of the License, or (at # your option) any later version. # # This library is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public # License along with this library; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, # USA. # # /etc/init.d/git-daemon # and its symbolic link # /usr/sbin/rcgit-daemon # ### BEGIN INIT INFO # Provides: git-daemon # Required-Start: $syslog $remote_fs $network # Required-Stop: $syslog $remote_fs # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: server for git repositories # Description: server for git repositories ### END INIT INFO if test -x /usr/lib64/git/git-daemon; then git_daemon=/usr/lib64/git/git-daemon elif test -x /usr/lib/git/git-daemon; then git_daemon=/usr/lib/git/git-daemon else echo "git-daemon not installed" if [ "$1" = "stop" ]; then exit 0 else exit 5 fi fi pidfile=/var/run/git-daemon.pid # Check for existence of needed config file and read it git_daemon_config=/etc/sysconfig/git-daemon test -r $git_daemon_config || { echo "$git_daemon_config not existing"; if [ "$1" = "stop" ]; then exit 0; else exit 6; fi; } # Read config . $git_daemon_config : ${GIT_DAEMON_BASE_PATH:=/srv/git} . /etc/rc.status # Reset status of this service rc_reset case "$1" in start) echo -n "Starting git-daemon " /sbin/startproc -p $pidfile $git_daemon \ --syslog \ --detach \ --reuseaddr \ --user=git-daemon \ --group=nogroup \ --pid-file=$pidfile \ --base-path="$GIT_DAEMON_BASE_PATH" \ $GIT_DAEMON_ARGS rc_status -v ;; stop) echo -n "Shutting down git-daemon " /sbin/killproc -p $pidfile $git_daemon -TERM rc_status -v ;; try-restart|condrestart) if test "$1" = "condrestart"; then echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}" fi $0 status if test $? = 0; then $0 restart else rc_reset # Not running is not a failure. fi rc_status ;; restart) ## Stop the service and regardless of whether it was ## running or not, start it again. $0 stop $0 start # Remember status and be quiet rc_status ;; force-reload) $0 try-restart rc_status ;; reload) echo -n "Reload service git-daemon " ## does not support reload rc_failed 3 rc_status -v ;; status) echo -n "Checking for service git-daemon " /sbin/checkproc -p $pidfile $git_daemon rc_status -v ;; probe) test $git_daemon_config -nt $pidfile && echo reload ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" exit 1 ;; esac rc_exit ++++++ git-nohardlink.diff ++++++ don't use hardlinks as our .spec calls fdupes which converts the hardlinks to symlinks again in an unpredicatable way --- Makefile | 1 - 1 file changed, 1 deletion(-) --- a/Makefile +++ b/Makefile @@ -2252,7 +2252,6 @@ done && \ for p in $(BUILT_INS); do \ $(RM) "$$execdir/$$p" && \ - ln "$$execdir/git$X" "$$execdir/$$p" 2>/dev/null || \ ln -s "git$X" "$$execdir/$$p" 2>/dev/null || \ cp "$$execdir/git$X" "$$execdir/$$p" || exit; \ done && \ ++++++ git-prevent_xss-default.diff ++++++ From: Jakub Narebski <jna...@...il.com> Subject: [PATCH] gitweb: Enable $prevent_xss by default This fixes issue CVE-2011-2186 originally reported in https://launchpad.net/bugs/777804 Reported-by: dave b <db.pub.m...@...il.com> Signed-off-by: Jakub Narebski <jna...@...il.com> --- git-instaweb.sh | 4 ++++ gitweb/README | 5 +++-- gitweb/gitweb.perl | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) --- a/git-instaweb.sh +++ b/git-instaweb.sh @@ -583,6 +583,10 @@ our \$git_temp = "$fqgitdir/gitweb/tmp"; our \$projects_list = \$projectroot; +# we can trust our own repository, so disable XSS prevention +# to enable some extra features +our \$prevent_xss = 0; + \$feature{'remote_heads'}{'default'} = [1]; EOF } --- a/gitweb/README +++ b/gitweb/README @@ -131,8 +131,9 @@ * $prevent_xss If true, some gitweb features are disabled to prevent content in repositories from launching cross-site scripting (XSS) attacks. Set this - to true if you don't trust the content of your repositories. The default - is false. + to false if you trust the content of your repositories, and want to use + per-repository README.html, or use gitweb as deployment platform + via 'blob_plain' view and path_info links. The default is true. * $maxload Used to set the maximum load that we will still respond to gitweb queries. If server load exceed this value then return "503 Service Unavailable" error. --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -170,7 +170,7 @@ # Disables features that would allow repository owners to inject script into # the gitweb domain. -our $prevent_xss = 0; +our $prevent_xss = 1; # Path to the highlight executable to use (must be the one from # http://www.andre-simon.de due to assumptions about parameters and output). ++++++ git-python-install-fix.diff ++++++ --- Makefile | 2 +- git_remote_helpers/Makefile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) --- a/git_remote_helpers/Makefile +++ b/git_remote_helpers/Makefile @@ -29,7 +29,7 @@ $(QUIET)$(PYTHON_PATH) $(pysetupfile) $(QUIETSETUP) build install: $(pysetupfile) - $(PYTHON_PATH) $(pysetupfile) install --prefix $(DESTDIR_SQ)$(prefix) + $(PYTHON_PATH) $(pysetupfile) install --prefix $(prefix) --root $(DESTDIR_SQ) instlibdir: $(pysetupfile) @echo "$(DESTDIR_SQ)$(prefix)/$(PYLIBDIR)" --- a/Makefile +++ b/Makefile @@ -1800,7 +1800,7 @@ $(patsubst %.py,%,$(SCRIPT_PYTHON)): % : %.py $(QUIET_GEN)$(RM) $@ $@+ && \ INSTLIBDIR=`MAKEFLAGS= $(MAKE) -C git_remote_helpers -s \ - --no-print-directory prefix='$(prefix_SQ)' DESTDIR='$(DESTDIR_SQ)' \ + --no-print-directory prefix='$(prefix_SQ)' DESTDIR=\ instlibdir` && \ sed -e '1s|#!.*python|#!$(PYTHON_PATH_SQ)|' \ -e 's|\(os\.getenv("GITPYTHONLIB"\)[^)]*)|\1,"@@INSTLIBDIR@@")|' \ ++++++ git.xinetd ++++++ # default: off # description: The git server offers access to git repositories service git { disable = yes socket_type = stream protocol = tcp wait = no user = git-daemon group = nogroup server = /usr/bin/git server_args = daemon --syslog --inetd --base-path=/srv/git type = UNLISTED port = 9418 log_on_failure += USERID } ++++++ susefirewall-git-daemon ++++++ ## Name: git-daemon ## Description: Open ports for git-daemon TCP="git" ++++++ sysconfig.git-daemon ++++++ ## Path: Network/git-daemon ## Description: git daemon configuration ## ServiceRestart: git-daemon ## Type: string ## Default: # # base path for exported directories # # defaults to "/srv/git" if not set # GIT_DAEMON_BASE_PATH="" ## Type: string ## Default: # # additional arguments for git-daemon. See manual page GIT_DAEMON_ARGS="" ++++++ usr.share.git-web.gitweb.cgi ++++++ # Last Modified: Fri Dec 19 11:03:49 2008 #include <tunables/global> /usr/share/gitweb/gitweb.cgi { #include <abstractions/base> #include <abstractions/bash> #include <abstractions/nameservice> #include <abstractions/perl> /bin/bash rix, /dev/tty rw, /etc/gitweb.conf r, /etc/mime.types r, /proc/meminfo r, /proc/sys/kernel/ngroups_max r, /srv/git/ r, /srv/git/** r, /usr/bin/perl ix, /usr/lib/git/git rix, /usr/bin/git-receive-pack rix, /usr/share/gitweb/* r, /usr/share/gitweb/static/* r, } -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org