-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 29 Jan 2023 15:46:13 +0100 Source: git Architecture: source Version: 1:2.39.1-0.1~bpo11+1 Distribution: bullseye-backports Urgency: medium Maintainer: Jonathan Nieder <jrnieder@gmail.com> Changed-By: Sven Hoexter <hoexter@debian.org> Closes: 1010720 1016723 1022046 1029114 Changes: git (1:2.39.1-0.1~bpo11+1) bullseye-backports; urgency=medium . * Rebuild for bullseye-backports. . git (1:2.39.1-0.1) unstable; urgency=medium . * Non-maintainer upload. * New upstream stable release (Closes: #1029114) Fixes CVE-2022-23521 and CVE-2022-41903. . git (1:2.39.0-1) unstable; urgency=low . * new upstream release (see RelNotes/2.39.0.txt). . git (1:2.38.1-1) unstable; urgency=medium . * new upstream release (closes: #1022046; see RelNotes/2.38.0.txt, RelNotes/2.38.1.txt). * Addresses the security issue CVE-2022-39253: cloning an attacker-controlled local repository could store arbitrary files in the ".git" directory of the destination repository. . Thanks to Cory Snider of Mirantis for reporting this vulnerability and Taylor Blau for the mitigation. . * Addresses CVE-2022-39260: a long command string passed to a `git shell` configured to support custom commands could overflow and run arbitrary code. . Thanks to Kevin Backhouse of GitHub for reporting this vulnerability and Kevin Backhouse, Jeff King, and Taylor Blau for mitigating it. . git (1:2.37.2-1) unstable; urgency=low . * new upstream release (closes: #1016723; see RelNotes/2.37.0.txt, RelNotes/2.37.1.txt, RelNotes/2.37.2.txt). . git (1:2.36.1-1) unstable; urgency=low . * new upstream point release (closes: #1010720; see RelNotes/2.36.1.txt). . git (1:2.36.0-1) unstable; urgency=low . * new upstream release (see RelNotes/2.36.0.txt). . git (1:2.35.2-1) unstable; urgency=medium . * new upstream point release (see RelNotes/2.35.2.txt). * Addresses the security issue CVE-2022-24765: Git users might have found themselves unexpectedly in a Git worktree, e.g. when another user created a repository in `/tmp/.git`, in a mounted network drive or in a scratch space. Having a Git-aware prompt that runs `git status` (or `git diff`) and navigating to a directory which is supposedly not a Git worktree, or opening such a directory in an IDE with Git support such as VS Code, could then run commands specified by that other user. . Thanks to 俞晨东 for discovering this vulnerability and Johannes Schindelin for the mitigation. . git (1:2.35.1-1) unstable; urgency=low . * new upstream release (see RelNotes/2.35.0.txt, RelNotes/2.35.1.txt). Checksums-Sha1: 03f00dcb5517bdab330e461de126dc3c4f4e5091 2836 git_2.39.1-0.1~bpo11+1.dsc 13b1c55adecc45d75bfb82ad939362fa34f4bc49 739404 git_2.39.1-0.1~bpo11+1.debian.tar.xz 9c27c85d64d299a398a328d3434e3100d801b369 12575 git_2.39.1-0.1~bpo11+1_amd64.buildinfo Checksums-Sha256: cdfa2157b54e4fab64e7f48a75b2b287318a122b3a4a7da69547a29c0c7e6f98 2836 git_2.39.1-0.1~bpo11+1.dsc 1b93bf40b6952c5b600703324c803105e5d3340c54127cb04e59444d8088e6b9 739404 git_2.39.1-0.1~bpo11+1.debian.tar.xz daecad366153cdd3c27c1b88bc5691036feb8f3bec775baf38f93ad449f01f18 12575 git_2.39.1-0.1~bpo11+1_amd64.buildinfo Files: d15bd34a160bfcde8db54ead14a72f73 2836 vcs optional git_2.39.1-0.1~bpo11+1.dsc 0eed28cfaadecdbd6e98f47b42f4034f 739404 vcs optional git_2.39.1-0.1~bpo11+1.debian.tar.xz b64ffe347a9e8457fa869ceb9d757bb3 12575 vcs optional git_2.39.1-0.1~bpo11+1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEfAcX+forK514ixQbptwk2dokk9EFAmPWjawACgkQptwk2dok k9GJrA//ZMLezF4l4AcVHpG+Rqdtrf+3+UqWZhlOXqJfjhJO1kmo1tWbPpLrbmdE lPKwNOk8nKyxavdeC5c/J4HT1EyGya/JO/NU68chgoRtigCTuo/oTC1DUHcZ/JOT jIyRo1f06ma32qtjxYfSRbNmpCNDsivvjw8B2Ty/hR2OfEyVP3C0uFJOuoVQa3At D5tiTZM8ymCbM+laXlbpl5Yv11TZy2fvg9+PRETTNyfOLNjOhKiMNAHHmA0GO1+J qkos63Ob1Q0mvjHqrHKu92/kd0YbQHHYD3flL+Sfm1jH5yyugJIlfCM8a7FCzKsW hqLs0I/3YQVwdBhTalIEYb7uQzQOGWH7nECqm9k2zujiJyjuU5Jrjy90gTnlqTdE M9Aj8PNFXkjaPxipBiM+FmBbuXz9H2WHQkrO/oFUEyxrLs7FFIUx3uCjOrghTHnd xcgUq6+hjMnajNAdqk1KW5bx78upoWOWwGtJTMn8+rb5pxXEmDinB5+NHfnRthWa nUii86WUqULgKdnW1r4vjBTknygaREMBpNsJWh6tDPA8HDBSkRE/dBa07dGnbAT+ BKVtYs5VJ1SWLMkE5LCXV4TMqYWjA5Z4sYX9tns/AcfLv1hggBCFRlvHxxVH138F 4kmJr91mHM8syOUmeqBVHb26FTKqb/wtjzwfD1+GVCOvfqDSCpU= =vXD8 -----END PGP SIGNATURE-----
