lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <xmqqv8s2fefi.fsf@gitster.g>
Date:   Tue, 12 Jul 2022 10:06:57 -0700
From:   Junio C Hamano <gitster@...ox.com>
To:     git@...r.kernel.org
Cc:     Linux Kernel <linux-kernel@...r.kernel.org>,
        git-packagers@...glegroups.com
Subject: [ANNOUNCE] Git v2.37.1 and others

Git v2.37.1, together with v2.30.5, v2.31.4, v2.32.3, v2.33.4,
v2.34.4, v2.35.4, and v2.36.2 for older maintenance tracks, are now
available at the usual places.

These are to address CVE-2022-29187, where the fixes in v2.36.1 and
below to address CVE-2022-24765 released earlier may not have been
complete.

The tarballs are found at:

    https://www.kernel.org/pub/software/scm/git/

The following public repositories all have a copy of the 'v2.37.1'
tag and other tags for older maintenance tracks.

  url = https://git.kernel.org/pub/scm/git/git
  url = https://kernel.googlesource.com/pub/scm/git/git
  url = git://repo.or.cz/alt-git.git
  url = https://github.com/gitster/git

----------------------------------------------------------------

Git 2.37.1 Release Notes
========================

This release merges up the fixes that appear in v2.30.5, v2.31.4,
v2.32.3, v2.33.4, v2.34.4, v2.35.4, and v2.36.2 to address the
security issue CVE-2022-29187; see the release notes for these
versions for details.

Fixes since Git 2.37
--------------------

 * Rewrite of "git add -i" in C that appeared in Git 2.25 didn't
   correctly record a removed file to the index, which is an old
   regression but has become widely known because the C version has
   become the default in the latest release.

 * Fix for CVE-2022-29187.

----------------------------------------------------------------

Git v2.30.5 Release Notes
=========================

This release contains minor fix-ups for the changes that went into
Git 2.30.3 and 2.30.4, addressing CVE-2022-29187.

 * The safety check that verifies a safe ownership of the Git
   worktree is now extended to also cover the ownership of the Git
   directory (and the `.git` file, if there is any).

Carlo Marcelo Arenas Belón (1):
      setup: tighten ownership checks post CVE-2022-24765

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ