UbuntuUpdates.org

Package "git-cvs"

Name: git-cvs

Description:

fast, scalable, distributed revision control system (cvs interoperability)

Latest version: 1:2.34.1-1ubuntu1.11
Release: jammy (22.04)
Level: security
Repository: universe
Head package: git
Homepage: https://git-scm.com/

Links


Download "git-cvs"


Other versions of "git-cvs" in Jammy

Repository Area Version
base universe 1:2.34.1-1ubuntu1
updates universe 1:2.34.1-1ubuntu1.11

Changelog

Version: 1:2.34.1-1ubuntu1.11 2024-05-28 16:14:03 UTC

  git (1:2.34.1-1ubuntu1.11) jammy-security; urgency=medium

  * SECURITY UPDATE: Facilitation of arbitrary code execution
    - debian/patches/CVE-2024-32002.patch: submodule paths
      must not contains symlinks in builtin/submodule--helper.c.
    - CVE-2024-32002
  * SECURITY UPDATE: Arbitrary code execution
    - debian/patches/CVE-2024-32004.patch: detect dubious ownership of
      local repositories in path.c, setup.c, setup.h.
    - CVE-2024-32004
  * SECURITY UPDATE: Overwrite of possible malicious hardlink
    - debian/patches/CVE-2024-32020.patch: refuse clones of unsafe
      repositories in builtin/clonse.c, t0033-safe-directory.sh.
    - CVE-2024-32020
  * SECURITY UPDATE: Unauthenticated attacker to place a repository
    on their target's local system that contains symlinks
    - debian/patches/CVE-2024-32021.patch: abort when hardlinked source and
      target file differ in builtin/clone.c
    - CVE-2024-32021
  * SECURITY UPDATE: Arbitrary code execution
    - debian/patches/CVE-2024-32465.patch: disable lazy-fetching by default
      in builtin/upload-pack.c, promisor-remote.c
    - CVE-2024-32465

 -- Leonidas Da Silva Barbosa <email address hidden> Mon, 20 May 2024 09:14:17 -0300

Source diff to previous version
CVE-2024-32002 Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be c
CVE-2024-32004 Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repos
CVE-2024-32020 Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, local clones may end up hardlinking f
CVE-2024-32021 Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repositor
CVE-2024-32465 Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clon

Version: 1:2.34.1-1ubuntu1.9 2023-05-01 13:07:07 UTC

  git (1:2.34.1-1ubuntu1.9) jammy-security; urgency=medium

  * SECURITY UPDATE: Overwriting path
    - debian/patches/CVE-2023_25652_25815_29007/0022-*.patch: apply
      --reject overwriting existing .rej symlink if it exists in apply.c,
      t/t4115-apply-symlink.sh.
    - CVE-2023-25652
  * SECURITY UPDATE: Malicious placement of crafted messages
    - debian/patches/CVE-2023_25652_25815_29007/0024-*patch:
      avoid using gettext if the locale dir is not present in
      gettext.c.
    - CVE-2023-25815
  * SECURITY UPDATE: Arbitrary configuration injection
    - debian/patches/CVE-2023_25652_25815_29007/0025-*.patch: avoid
      fixed-sized buffer when renaming/deleting a section in config.c,
      t/t1300-config.sh.
    - debian/patches/CVE-2023_25652_25815_29007/0026-*.patch: avoid
      integer truncation in copy_or_rename_section_in_file() in config.c.
    - debian/patches/CVE-2023_25652_25815_29007/0027-*.patch: disallow
      overly-long lines in copy_or_rename_section_in_file in config.c.
    - CVE-2023-29007

 -- Leonidas Da Silva Barbosa <email address hidden> Wed, 26 Apr 2023 06:43:33 -0300

Source diff to previous version
CVE-2023-25652 Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by fe
CVE-2023-29007 Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a spe

Version: 1:2.34.1-1ubuntu1.8 2023-02-14 20:07:20 UTC

  git (1:2.34.1-1ubuntu1.8) jammy-security; urgency=medium

  * SECURITY UPDATE: Overwritten path and using
    local clone optimization even when using a non-local transport
    - debian/patches/CVE_2023-22490_and_23946/0002-*.patch: adjust
      a mismatch data type in attr.c.
    - debian/patches/CVE_2023-22490_and_23946/0003-*.patch: demonstrate
      clone_local() with ambiguous transport in
      t/t5619-clone-local-ambiguous-transport.sh.
    - debian/patches/CVE_2023-22490_and_23946/0004-*.patch: delay
      picking a transport until after get_repo_path() in builtin/clone.c.
    - debian/patches/CVE_2023-22490_and_23946/0005-*.patch: prevent top-level
      symlinks without FOLLOW_SYMLINKS in dir-iterator, dir-iterator.h,
      t/t0066-dir-iterator.sh, t/t5604-clone-reference.sh.
    - debian/patches/CVE_2023-22490_and_23946/0006-*.patch: fix writing behind
      newly created symbolic links in apply.c, t/t4115-apply-symlink.sh.
    - CVE-2023-22490
    - CVE-2023-23946

 -- Leonidas Da Silva Barbosa <email address hidden> Wed, 08 Feb 2023 10:57:45 -0300

Source diff to previous version

Version: 1:2.34.1-1ubuntu1.6 2023-01-17 20:07:52 UTC

  git (1:2.34.1-1ubuntu1.6) jammy-security; urgency=medium

  * SECURITY UPDATE: Integer overflow
    - debian/patches/CVE_2022_23521_and_41903/00*.patch:
      attr.c, attr.h, pretty.c, column.c, utf8.c, utf8.h,
      t/t4205-log-pretty-formats.sh, t/test-lib.sh, git-compat-util.h,
      t/t0003-attributes.sh.
    - CVE-2022-23521
    - CVE-2022-41903

 -- Leonidas Da Silva Barbosa <email address hidden> Wed, 11 Jan 2023 15:12:27 -0300

Source diff to previous version

Version: 1:2.34.1-1ubuntu1.5 2022-10-18 20:07:59 UTC

  git (1:2.34.1-1ubuntu1.5) jammy-security; urgency=medium

  * SECURITY UPDATE: Unexpected behavior
    - debian/patches/CVE-2022-39253-*.patch: disallow --local
      clones with symlinks and additionally changed the
      protocol.file.allow to be user by default in
      builtin/clone.c, transport.c, and modified tests in
      t/t5604-clone-reference.sh,
      lib-submodule-update.sh, t/t1091-sparse-checkout-builtin.sh,
      t/t1500-rev-parse.sh, t/t2400-worktree-add.sh,
      t/t2403-worktree-move.sh, t/t2405-worktree-submodule.sh,
      t/t3200-branch.sh, t/t3420-rebase-autostash.sh,
      t/t3426-rebase-submodule.sh, t/t3512-cherry-pick-submodule.sh,
      t/t3600-rm.sh, t/t3906-stash-submodule.sh,
      t/t4059-diff-submodule-not-initialized.sh,
      t/t4060-diff-submodule-option-diff-format.sh,
      t/t4067-diff-partial-clone.sh,
      t/t4208-log-magic-pathspec.sh, t/t5510-fetch.sh,
      t/t5526-fetch-submodules.sh, t/t5545-push-options.sh,
      t/t5572-pull-submodule.sh, t/t5601-clone.sh,
      t/t5614-clone-submodules-shallow.sh, t/t5616-partial-clone.sh,
      t/t5617-clone-submodules-remote.sh, t/t6008-rev-list-submodule.sh,
      t/t6134-pathspec-in-submodule.sh,
      t/t7001-mv.sh, t/t7064-wtstatus-pv2.sh,
      t/t7300-clean.sh, t/t7400-submodule-basic.sh,
      t/t7403-submodule-sync.sh, t/t7406-submodule-update.sh,
      t/t7407-submodule-foreach.sh, t/t7408-submodule-reference.sh,
      t/t7409-submodule-detached-work-tree.sh, t/t7411-submodule-config.sh,
      t/t7413-submodule-is-active.sh, t/t7414-submodule-mistakes.sh,
      t/t7415-submodule-names.sh, t/t7416-submodule-dash-url.sh,
      t/t7417-submodule-path-url.sh, t/t7418-submodule-sparse-gitmodules.sh,
      t/t7419-submodule-set-branch.sh, t/t7420-submodule-set-url.sh,
      t/t7421-submodule-summary-add.sh, t/t7506-status-submodule.sh,
      t/t7507-commit-verbose.sh, t/t7800-difftool.sh,
      t/t7814-grep-recurse-submodules.sh, t/t9304-fast-import-marks.sh,
      t/t9350-fast-export.sh, t/t1092-sparse-checkout-compatibility.sh,
      t/t2080-parallel-checkout-basics.sh, t/t7450-bad-git-dotfiles.sh.
    - CVE-2022-39253
  * SECURITY UPDATE: Arbitrary heap writes
    - debian/patches/CVE-2022-39260-*.patch: limit size of interactive
      commands and reject too-long cmdline strings in split cmdline()
      in shell.c, t/t9850-shell.sh, alias.c.
    - CVE-2022-39260

 -- Leonidas Da Silva Barbosa <email address hidden> Thu, 13 Oct 2022 09:33:36 -0300




About   -   Send Feedback to @ubuntu_updates