lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <xmqqr0dheuw5.fsf@gitster.g>
Date: Fri, 31 May 2024 10:47:06 -0700
From: Junio C Hamano <gitster@...ox.com>
To: git@...r.kernel.org
Cc: Linux Kernel <linux-kernel@...r.kernel.org>,
    git-packagers@...glegroups.com
Subject: [ANNOUNCE] Git v2.45.2 and friends to unbreak "git lfs" and others

The latest maintenance release Git v2.45.2 and its siblings
(v2.39.5, v2.40.3, v2.41.2, v2.42.3, v2.43.5, and v2.44.2) are now
available at the usual places.  They are to revert overly strict
checks, which were "added while at it to help enhance security, even
though these changes alone would not solve any known security
problems", in the recent security updates that addressed four CVEs.

They unfortunately broke valid setups of "git lfs" and "git annex"
(among other unknown things), so we are first reverting them, with
an intention to later reassess the situation and rebuild
replacements that are much less aggressive and more precise, if
needed.

The tarballs are found at:

    https://www.kernel.org/pub/software/scm/git/

The following public repositories all have a copy of the 'v2.45.2'
and other tags:

  url = https://git.kernel.org/pub/scm/git/git
  url = https://kernel.googlesource.com/pub/scm/git/git
  url = git://repo.or.cz/alt-git.git
  url = https://github.com/gitster/git

----------------------------------------------------------------

Git v2.45.2 Release Notes
=========================

In preparing security fixes for four CVEs, we made overly aggressive
"defense in depth" changes that broke legitimate use cases like 'git
lfs' and 'git annex.'  This release is to revert these misguided, if
well-intentioned, changes that were shipped in 2.45.1 and were not
direct security fixes.

Jeff King (5):
      send-email: drop FakeTerm hack
      send-email: avoid creating more than one Term::ReadLine object
      ci: drop mention of BREW_INSTALL_PACKAGES variable
      ci: avoid bare "gcc" for osx-gcc job
      ci: stop installing "gcc-13" for osx-gcc

Johannes Schindelin (6):
      hook: plug a new memory leak
      init: use the correct path of the templates directory again
      Revert "core.hooksPath: add some protection while cloning"
      tests: verify that `clone -c core.hooksPath=/dev/null` works again
      clone: drop the protections where hooks aren't run
      Revert "Add a helper function to compare file contents"

Junio C Hamano (1):
      Revert "fsck: warn about symlink pointing inside a gitdir"

----------------------------------------------------------------

Changes since v2.45.1 are as follows:

Jeff King (5):
      send-email: drop FakeTerm hack
      send-email: avoid creating more than one Term::ReadLine object
      ci: drop mention of BREW_INSTALL_PACKAGES variable
      ci: avoid bare "gcc" for osx-gcc job
      ci: stop installing "gcc-13" for osx-gcc

Johannes Schindelin (6):
      hook: plug a new memory leak
      init: use the correct path of the templates directory again
      Revert "core.hooksPath: add some protection while cloning"
      tests: verify that `clone -c core.hooksPath=/dev/null` works again
      clone: drop the protections where hooks aren't run
      Revert "Add a helper function to compare file contents"

Junio C Hamano (2):
      Revert "fsck: warn about symlink pointing inside a gitdir"
      Git 2.39.5


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ