git - Debian Package Tracker

general

source: git (main)
version: 1:2.40.1-1
maintainer: Jonathan Nieder (DMD)
uploaders: Anders Kaseorg [DMD]
arch: all any
std-ver: 4.3.0.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1:2.20.1-2+deb10u3
o-o-sec: 1:2.20.1-2+deb10u8
o-o-bpo: 1:2.30.2-1~bpo10+1
oldstable: 1:2.30.2-1+deb11u2
old-sec: 1:2.30.2-1+deb11u2
old-bpo: 1:2.39.2-1~bpo11+1
stable: 1:2.39.2-1.1
testing: 1:2.40.1-1
unstable: 1:2.40.1-1
exp: 1:2.40.1+next.20230427-1

versioned links

1:2.20.1-2+deb10u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:2.20.1-2+deb10u8: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:2.30.2-1~bpo10+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:2.30.2-1+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:2.39.2-1~bpo11+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:2.39.2-1.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:2.40.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:2.40.1+next.20230427-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

git (266 bugs: 0, 121, 145, 0)
git-all (2 bugs: 0, 0, 2, 0)
git-cvs (8 bugs: 0, 3, 5, 0)
git-daemon-run (7 bugs: 2, 2, 3, 0)
git-daemon-sysvinit (7 bugs: 0, 2, 5, 0)
git-doc (7 bugs: 0, 1, 6, 0)
git-email (18 bugs: 0, 7, 11, 0)
git-gui (21 bugs: 0, 11, 10, 0)
git-man (25 bugs: 0, 7, 18, 0)
git-mediawiki
git-svn (27 bugs: 0, 10, 17, 0)
gitk (28 bugs: 0, 9, 19, 0)
gitweb (16 bugs: 0, 7, 9, 0)

action needed

Problems while searching for a new upstream version high

uscan had problems while searching for a new upstream version:

more than one main upstream tarballs listed.

Created: 2021-08-24 Last update: 2023-09-24 14:34

A new upstream version is available: 2.42.0 high

A new upstream version 2.42.0 is available, you should consider packaging it.

Created: 2023-06-04 Last update: 2023-09-24 14:34

The VCS repository is not up to date, push the missing commits. high

vcswatch reports that the current version of the package is not in its VCS.
Either you need to push your commits and/or your tags, or the information about the package's VCS are out of date. A common cause of the latter issue when using the Git VCS is not specifying the correct branch when the packaging is not in the default one (remote HEAD branch), which is usually "master" but can be modified in salsa.debian.org in the project's general settings with the "Default Branch" field). Alternatively the Vcs-Git field in debian/control can contain a "-b <branch-name>" suffix to indicate what branch is used for the Debian packaging.

Created: 2017-12-03 Last update: 2023-09-24 07:15

lintian reports 1 error and 21 warnings high

Lintian reports 1 error and 21 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2022-11-01 Last update: 2023-03-01 00:32

27 bugs tagged patch in the BTS normal

The BTS contains patches fixing 27 bugs (34 if counting merged bugs), consider including or untagging them.

Created: 2023-09-13 Last update: 2023-09-24 17:01

Depends on packages which need a new maintainer normal

The packages that git depends on which need a new maintainer are:

cvsps (#501257)
- Depends: cvsps
- Build-Depends: cvsps
docbook-xsl (#802370)
- Build-Depends-Indep: docbook-xsl

Created: 2019-11-22 Last update: 2023-09-24 16:10

piuparts found (un)installation error(s) normal

Piuparts stresses package installation, uninstallation, upgrade, ... While doing such tests, one or more errors were found for the following suites:

sid - piuparts

You should fix them.

Created: 2023-06-19 Last update: 2023-06-19 14:02

3 low-priority security issues in bullseye low

There are 3 open security issues in bullseye.

3 issues left for the package maintainer to handle:

CVE-2023-25652: (needs triaging) Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists.
CVE-2023-25815: (needs triaging) In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. As a consequence, Git is expected not to localize messages at all, and skips the gettext initialization. However, due to a change in MINGW-packages, the `gettext()` function's implicit initialization no longer uses the runtime prefix but uses the hard-coded path `C:\mingw64\share\locale` to look for localized messages. And since any authenticated user has the permission to create folders in `C:\` (and since `C:\mingw64` does not typically exist), it is possible for low-privilege users to place fake messages in that location where `git.exe` will pick them up in version 2.40.1. This vulnerability is relatively hard to exploit and requires social engineering. For example, a legitimate message at the end of a clone could be maliciously modified to ask the user to direct their web browser to a malicious website, and the user might think that the message comes from Git and is legitimate. It does require local write access by the attacker, though, which makes this attack vector less likely. Version 2.40.1 contains a patch for this issue. Some workarounds are available. Do not work on a Windows machine with shared accounts, or alternatively create a `C:\mingw64` folder and leave it empty. Users who have administrative rights may remove the permission to create folders in `C:\`.
CVE-2023-29007: (needs triaging) Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`.

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-04-25 Last update: 2023-06-20 05:52

3 low-priority security issues in bookworm low

There are 3 open security issues in bookworm.

3 issues left for the package maintainer to handle:

CVE-2023-25652: (needs triaging) Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists.
CVE-2023-25815: (needs triaging) In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. As a consequence, Git is expected not to localize messages at all, and skips the gettext initialization. However, due to a change in MINGW-packages, the `gettext()` function's implicit initialization no longer uses the runtime prefix but uses the hard-coded path `C:\mingw64\share\locale` to look for localized messages. And since any authenticated user has the permission to create folders in `C:\` (and since `C:\mingw64` does not typically exist), it is possible for low-privilege users to place fake messages in that location where `git.exe` will pick them up in version 2.40.1. This vulnerability is relatively hard to exploit and requires social engineering. For example, a legitimate message at the end of a clone could be maliciously modified to ask the user to direct their web browser to a malicious website, and the user might think that the message comes from Git and is legitimate. It does require local write access by the attacker, though, which makes this attack vector less likely. Version 2.40.1 contains a patch for this issue. Some workarounds are available. Do not work on a Windows machine with shared accounts, or alternatively create a `C:\mingw64` folder and leave it empty. Users who have administrative rights may remove the permission to create folders in `C:\`.
CVE-2023-29007: (needs triaging) Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`.

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-06-10 Last update: 2023-06-20 05:52

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2017-10-26 Last update: 2017-10-26 07:22

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.2 instead of 4.3.0.1).

Created: 2019-07-08 Last update: 2023-05-09 18:45

news

[rss feed]

[2023-06-20] git 1:2.40.1-1 MIGRATED to testing (Debian testing watch)
[2023-04-28] Accepted git 1:2.40.1+next.20230427-1 (source) into experimental (Jonathan Nieder)
[2023-04-26] Accepted git 1:2.40.1+next.20230424-1 (source) into experimental (Jonathan Nieder)
[2023-04-25] Accepted git 1:2.40.1-1 (source) into unstable (Jonathan Nieder)
[2023-03-21] Accepted git 1:2.40.0+next.20230319-1 (source) into experimental (Jonathan Nieder)
[2023-03-21] Accepted git 1:2.40.0+next.20230313-1 (source) into experimental (Jonathan Nieder)
[2023-03-21] Accepted git 1:2.40.0-1 (source) into unstable (Jonathan Nieder)
[2023-03-10] git 1:2.39.2-1.1 MIGRATED to testing (Debian testing watch)
[2023-02-28] Accepted git 1:2.39.2-1.1 (source) into unstable (Matthew Vernon)
[2023-02-26] Accepted git 1:2.39.2-1~bpo11+1 (source) into bullseye-backports (Sven Hoexter)
[2023-02-26] git 1:2.39.2-1 MIGRATED to testing (Debian testing watch)
[2023-02-23] Accepted git 1:2.30.2-1+deb11u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Aron Xu)
[2023-02-23] Accepted git 1:2.20.1-2+deb10u8 (source) into oldstable (Emilio Pozuelo Monfort)
[2023-02-23] Accepted git 1:2.30.2-1+deb11u2 (source) into stable-security (Debian FTP Masters) (signed by: Aron Xu)
[2023-02-16] Accepted git 1:2.39.2+next.20230215-1 (source) into experimental (Jonathan Nieder)
[2023-02-16] Accepted git 1:2.39.2-1 (source) into unstable (Jonathan Nieder)
[2023-01-31] Accepted git 1:2.30.2-1+deb11u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Aron Xu)
[2023-01-31] git 1:2.39.1-0.1 MIGRATED to testing (Debian testing watch)
[2023-01-30] Accepted git 1:2.39.1-0.1~bpo11+1 (source) into bullseye-backports (Sven Hoexter)
[2023-01-29] Accepted git 1:2.30.2-1+deb11u1 (source) into stable-security (Debian FTP Masters) (signed by: Aron Xu)
[2023-01-26] Accepted git 1:2.20.1-2+deb10u7 (source) into oldstable (Sylvain Beucler)
[2023-01-26] Accepted git 1:2.39.1-0.1 (source) into unstable (Aron Xu)
[2022-12-28] git 1:2.39.0-1 MIGRATED to testing (Debian testing watch)
[2022-12-23] Accepted git 1:2.39.0+next.20221220-1 (source) into experimental (Calvin Wan) (signed by: Jonathan Nieder)
[2022-12-14] Accepted git 1:2.20.1-2+deb10u6 (source) into oldstable (Sylvain Beucler)
[2022-12-13] Accepted git 1:2.20.1-2+deb10u5 (source) into oldstable (Sylvain Beucler)
[2022-12-12] Accepted git 1:2.39.0+next.20221212-1 (source) into experimental (Jonathan Nieder)
[2022-12-12] Accepted git 1:2.39.0-1 (source) into unstable (Jonathan Nieder)
[2022-11-04] Accepted git 1:2.38.1+next.20221031-1 (source) into experimental (Jonathan Nieder)
[2022-11-01] Accepted git 1:2.38.1-1 (source) into unstable (Jonathan Nieder)

bugs [bug history graph]

all: 438 453
RC: 2
I&N: 190 191
M&W: 246 260
F&P: 0
patch: 27 34

links

homepage
lintian (1, 21)
buildd: logs, exp, checks, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
l10n (-, 93)

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1:2.40.1-1ubuntu1
87 bugs (2 patches)
patches for 1:2.40.1-1ubuntu1