Debian Package Tracker

From: Jonathan Nieder <jrnieder@gmail.com>
To:
Subject: Accepted git 1:2.11.0-3+deb9u3 (source all amd64) into stable->embargoed, stable
Date: Tue, 29 May 2018 20:37:33 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 27 May 2018 10:48:46 -0700
Source: git
Binary: git git-man git-core git-doc git-arch git-cvs git-svn git-mediawiki git-email git-daemon-run git-daemon-sysvinit git-gui gitk git-el gitweb git-all
Architecture: source all amd64
Version: 1:2.11.0-3+deb9u3
Distribution: stretch-security
Urgency: high
Maintainer: Gerrit Pape <pape@smarden.org>
Changed-By: Jonathan Nieder <jrnieder@gmail.com>
Description:
 git        - fast, scalable, distributed revision control system
 git-all    - fast, scalable, distributed revision control system (all subpacka
 git-arch   - fast, scalable, distributed revision control system (arch interop
 git-core   - fast, scalable, distributed revision control system (obsolete)
 git-cvs    - fast, scalable, distributed revision control system (cvs interope
 git-daemon-run - fast, scalable, distributed revision control system (git-daemon s
 git-daemon-sysvinit - fast, scalable, distributed revision control system (git-daemon s
 git-doc    - fast, scalable, distributed revision control system (documentatio
 git-el     - fast, scalable, distributed revision control system (emacs suppor
 git-email  - fast, scalable, distributed revision control system (email add-on
 git-gui    - fast, scalable, distributed revision control system (GUI)
 git-man    - fast, scalable, distributed revision control system (manual pages
 git-mediawiki - fast, scalable, distributed revision control system (MediaWiki re
 git-svn    - fast, scalable, distributed revision control system (svn interope
 gitk       - fast, scalable, distributed revision control system (revision tre
 gitweb     - fast, scalable, distributed revision control system (web interfac
Changes:
 git (1:2.11.0-3+deb9u3) stretch-security; urgency=high
 .
   * Fix CVE-2018-11235, arbitrary code execution via submodule names
     in .gitmodules file:
     - submodule: verify submodule names as paths
     - fsck: simplify ".git" check
     - fsck: fsck blob data
     - fsck: detect .gitmodules files
     - fsck: check .gitmodules content
     - fsck: call fsck_finish after fscking objects
     - unpack-objects: call fsck_finish after fscking objects
     - index-pack: check .gitmodules files with --strict
   * Fix CVE-2018-11233, out-of-bounds read when validing NTFS paths:
     - is_ntfs_dotgit: use a size_t for traversing string
   * Do not allow .gitmodules to be a symlink:
     - is_hfs_dotgit: match other .git* files
     - is_ntfs_dotgit: match other .git* files
     - is_{hfs,ntfs}_dotgitmodules: add tests
     - skip_prefix: add case-insensitive variant
     - verify_path: drop clever fallthrough
     - verify_dotfile: mention case-insensitivity in comment
     - update-index: stat updated files earlier
     - verify_path: disallow .gitmodules symlinks
     - fsck: complain when .gitmodules is a symlink
   * debian/rules: make the new test executable.
 .
   Thanks to Brandon Williams, Etienne Stalmans, and Jeff King for
   discovering and reporting these vulnerabilities and to Jeff King
   and Johannes Schindelin for fixing them.
Checksums-Sha1:
 7b6461821fdc926cc92e914e87d0d47bed4f3871 2944 git_2.11.0-3+deb9u3.dsc
 634da72ac1426f0fe03edb372356f6dbd26c6ebe 549420 git_2.11.0-3+deb9u3.debian.tar.xz
 bf18da79f0df34f09cb4a6784843242ddefcff60 671966 git-all_2.11.0-3+deb9u3_all.deb
 4f432b4a43d780c0951641dad001c2337127d38f 684608 git-arch_2.11.0-3+deb9u3_all.deb
 a485123331427f90ca78978ecab29bc999ed3125 1416 git-core_2.11.0-3+deb9u3_all.deb
 4aa4f49a483bc0111bb82f32e9ccd606ce884d4b 734904 git-cvs_2.11.0-3+deb9u3_all.deb
 65205589d5b153d5025db84e736ec6e302ada09d 673494 git-daemon-run_2.11.0-3+deb9u3_all.deb
 43b88ccaa1f1a2b1477c477df53b112545adfe71 674672 git-daemon-sysvinit_2.11.0-3+deb9u3_all.deb
 dd64faa9e57b0e1373f54b5af04309d482a3f9c8 30248568 git-dbgsym_2.11.0-3+deb9u3_amd64.deb
 5df77faeb25a38aee2e4654e8649040593bee576 1534928 git-doc_2.11.0-3+deb9u3_all.deb
 4fa93487f1fdb72b96f300db5897b803f0bf2722 691520 git-el_2.11.0-3+deb9u3_all.deb
 47edc321eaafae7c5117a5185d543402227318db 693752 git-email_2.11.0-3+deb9u3_all.deb
 bb5980cec8c4db9723635fd06646fea9408836e8 880748 git-gui_2.11.0-3+deb9u3_all.deb
 36aab5fc75160035b9ae8c65c5bfcc52846a9e55 1432972 git-man_2.11.0-3+deb9u3_all.deb
 7b27aea91e8f48693139524e6c3f106dab60f418 686860 git-mediawiki_2.11.0-3+deb9u3_all.deb
 2d041cb583955267798ff9a876ddc682ccc2a475 756696 git-svn_2.11.0-3+deb9u3_all.deb
 2e0c47d590ae21b49a1f9480b1637b69f4de6be5 12654 git_2.11.0-3+deb9u3_amd64.buildinfo
 1dfd769f883e0875ef3327b3dc245bfebcd0afa1 4163378 git_2.11.0-3+deb9u3_amd64.deb
 5be179311bb40e77b5210a72814f32a2ee2929e1 798012 gitk_2.11.0-3+deb9u3_all.deb
 fa817131615eba93afe269aadea3dedd5d7964c0 676244 gitweb_2.11.0-3+deb9u3_all.deb
Checksums-Sha256:
 053ab7b47b8a40ca6ec1449c750396df578651e178c1bbedc2f154d53e9b3203 2944 git_2.11.0-3+deb9u3.dsc
 df8dbe103d6ae8b210280fd2f344ad3dee5c718bd2769278544874af38f011a4 549420 git_2.11.0-3+deb9u3.debian.tar.xz
 f4596eb30b26f61bc6e1f21e336df05bdfd1cdd9c5663ff04d40e6eedc18987f 671966 git-all_2.11.0-3+deb9u3_all.deb
 d41fc2fe8c384d2f0b1fee2163ef476acfe2deac4429ec4f2f520ea26f484572 684608 git-arch_2.11.0-3+deb9u3_all.deb
 5a6ac3039a3bccb1f4d06b867946c7dafe4f0b33a4f03f0bf2495bdfb2153951 1416 git-core_2.11.0-3+deb9u3_all.deb
 121dd2e1e88c6a9f83819563eb68fb14e605a61cde046def60424f9d70fe9350 734904 git-cvs_2.11.0-3+deb9u3_all.deb
 43564fb38fff02158ee184c68ca9036d174c1d9502a1473ce1eea9788e2744b7 673494 git-daemon-run_2.11.0-3+deb9u3_all.deb
 46b91dcd45c2c9c3749573511a3f8d2ed6ac853138178565c10d9d8d9e37a720 674672 git-daemon-sysvinit_2.11.0-3+deb9u3_all.deb
 c73bdf3a0577b5266142e309d90d4c883437a0a32ecbdcecc554342ef2325fba 30248568 git-dbgsym_2.11.0-3+deb9u3_amd64.deb
 f985f1b2a311b7ebd240db089863d7b8dc440e60a3d768423481476ef949bac9 1534928 git-doc_2.11.0-3+deb9u3_all.deb
 bef1d98fefb64c74cb889017e6670081884d1168772cfb63b7abbde99d69063f 691520 git-el_2.11.0-3+deb9u3_all.deb
 c8264007bc70f7176c26d021ca8c98c5a1d77bb0363bc4fb678a6b2acc2ffe01 693752 git-email_2.11.0-3+deb9u3_all.deb
 7720cca3d896c0eb5a91b131756a2ed62ee4b2c321882a58a1b5bd39993b5183 880748 git-gui_2.11.0-3+deb9u3_all.deb
 c357873ed8f689912c3afe92df71dbd19da7d0dd061039e4339556f74d30bc2d 1432972 git-man_2.11.0-3+deb9u3_all.deb
 0dabd7865087b8f07f42226aea982c14601fd323564b9710a3466bf803aedc6f 686860 git-mediawiki_2.11.0-3+deb9u3_all.deb
 3ff90685ed293b5a523b744c2cd61b67f792d03314a4da05980ef61bf0f4444b 756696 git-svn_2.11.0-3+deb9u3_all.deb
 8931c829642a150392a5776007667fb9369e050f6a5d1d173d62d442a6b5cbe4 12654 git_2.11.0-3+deb9u3_amd64.buildinfo
 b3165e6d1acf9c32d322057374f800273a3cc7a55088684e089b0779b2439410 4163378 git_2.11.0-3+deb9u3_amd64.deb
 9a564ff6c11f2d8132c547cff7a91bcef9153065a1d6ec558f0390204b3fe5f5 798012 gitk_2.11.0-3+deb9u3_all.deb
 35f85a210d4b5a99c9a72c23371b27086532c61db55ac672b569f73335f88347 676244 gitweb_2.11.0-3+deb9u3_all.deb
Files:
 ae5179cfa7004c45f6bb3b146e03cbd3 2944 vcs optional git_2.11.0-3+deb9u3.dsc
 dfaafd34ef87d0b43277f2a11e79e437 549420 vcs optional git_2.11.0-3+deb9u3.debian.tar.xz
 047984bff6cae41255b90c0c72c5b38a 671966 vcs optional git-all_2.11.0-3+deb9u3_all.deb
 b8417c49bb2eb4e23a8104c1043ab2ba 684608 vcs optional git-arch_2.11.0-3+deb9u3_all.deb
 6426cf4403bed125619f785ba6aac9e6 1416 vcs optional git-core_2.11.0-3+deb9u3_all.deb
 4b329b7f6400f78a901f87c1dfa1d827 734904 vcs optional git-cvs_2.11.0-3+deb9u3_all.deb
 3a9b8d0611b62766f18646b3312b9331 673494 vcs optional git-daemon-run_2.11.0-3+deb9u3_all.deb
 04b93bc99e92b3fbc49f40ceb5c3b525 674672 vcs extra git-daemon-sysvinit_2.11.0-3+deb9u3_all.deb
 cb953cc38f4880d12da8be29dc858cb1 30248568 debug extra git-dbgsym_2.11.0-3+deb9u3_amd64.deb
 180801e7a312f66223eb060f8685e2c7 1534928 doc optional git-doc_2.11.0-3+deb9u3_all.deb
 5f29b539fabfb975b42cd4b8b0e77412 691520 vcs optional git-el_2.11.0-3+deb9u3_all.deb
 26bcd4954e7c6caad0fa419dd0581a6d 693752 vcs optional git-email_2.11.0-3+deb9u3_all.deb
 0e31048f0330889de7ae45e6c7463c8e 880748 vcs optional git-gui_2.11.0-3+deb9u3_all.deb
 ad0d25100aa92443650ec4d820c89bd3 1432972 doc optional git-man_2.11.0-3+deb9u3_all.deb
 1f1dc8caf46daa759487cb04f3e3cb25 686860 vcs optional git-mediawiki_2.11.0-3+deb9u3_all.deb
 eb546a495efcb20eaa976de1cce2a47e 756696 vcs optional git-svn_2.11.0-3+deb9u3_all.deb
 3352b11407bb50b5abf7bad7b8dc98ba 12654 vcs optional git_2.11.0-3+deb9u3_amd64.buildinfo
 bc67a648c9c14a07eba27fed5f1461f0 4163378 vcs optional git_2.11.0-3+deb9u3_amd64.deb
 144611fe5c693a1c28267284776e2402 798012 vcs optional gitk_2.11.0-3+deb9u3_all.deb
 77e404c9d30d07070994fa281974ad1c 676244 vcs optional gitweb_2.11.0-3+deb9u3_all.deb

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCAAxFiEEUh5Y8X6W1xKqD/EC38Zx7rMz+iUFAlsLAT0THGpybmllZGVy
QGdtYWlsLmNvbQAKCRDfxnHuszP6JaYdD/9fTtC2alx9KWlcMiRLO++EVjSqSGkt
FerQ34la3c4vKwhM2wwwvCTkXzywUHtqWgju5A2TWSI4c9Leth0brsLGVC0zOjiU
ILtsKmYZiLmlTi9cmaTFi2HSUUsQ1WNK/tA6YxriJfdMOSr5ELqMbWwErvaNfXiE
olyQQETjzpTvswXPiZ22PxNafS8vsx2Dv+Tr44aX8v+ap/zo3OZe5LtKrtJlP3qs
MWI0Jb4x/qSE85ec5YZb3XCHf+eKWAry8g5IKn5BxGEkKbbAkKKPZJfwDK04P3cn
vP2rrsGWQdH5dkI2QEHbqB5NEGt0NF2OGN95H1uNFhW/PHEw6C1FsbzBZCftqABl
M2c3HzLd/ezDLrT7GWCLJAymtSsdsXMc4f0fbvlIrdEeMi0dF2cRAwh15LedBE5k
GK24isJbAqh6YYbfTsrYzML7geQwbmwNBkCRol4cMSSiwLpowYIcmtO3BHQQR4dx
xDGVMujWmMsF4gaYqdjE402ounIDB96rFQwv7kOSZAdp+sosdGw2Zl2ArrfwM8pN
soCH3D0S7IhdTWBeEct4lmdPl3qmB9vXa8Ns14Muoj0NsfqSHNbQiFgDWhlEGIL/
gHq+09RJqzKrF2ROB8shzeHp4Z1oK3SSYb91zvHwbHD9NoHSrU8+p2GpPMQxlFKB
vlPUClbVXLIm7g==
=x+x+
-----END PGP SIGNATURE-----
News for package git
