[ubuntu/groovy-proposed] git 1:2.27.0~rc0-1ubuntu1 (Accepted)

Steve Langasek steve.langasek at ubuntu.com
Thu May 21 00:06:14 UTC 2020


git (1:2.27.0~rc0-1ubuntu1) groovy; urgency=low

  * Merge from Debian unstable.  Remaining changes:
    - Build diff-highlight in the contrib dir (closes: #868871, LP: #1713690)
    - Don't build-depend on subversion on i386, it is not reasonable to
      support on the partial arch.
  * Drop security update patches, included upstream.

git (1:2.27.0~rc0-1) unstable; urgency=low

  * new upstream release candidate (see RelNotes/2.27.0.txt).

git (1:2.26.2-1) unstable; urgency=high

  * new upstream point release (see RelNotes/2.26.2.txt).
    * Addresses the security issue CVE-2020-11008.

      With a crafted URL that contains a newline or empty host, or
      lacks a scheme, the credential helper machinery can be fooled
      into providing credential information that is not appropriate
      for the protocol in use and host being contacted.

      Unlike the vulnerability fixed in 2.26.1, the credentials are
      not for a host of the attacker's choosing.  Instead, they are
      for an unspecified host, based on how the configured
      credential helper handles an absent "host" parameter.

      The attack has been made impossible by refusing to work with
      underspecified credential patterns.

      Thanks to Carlo Arenas for reporting that Git was still
      vulnerable, Felix Wilhelm for providing the proof of concept
      demonstrating this issue, and Jeff King for promptly providing
      a corrected fix.

      Tested using the proof of concept at
      https://crbug.com/project-zero/2021.

git (1:2.26.1-1) unstable; urgency=high

  * new upstream point release (see RelNotes/2.26.1.txt).
    * Addresses the security issue CVE-2020-5260.

      With a crafted URL that contains a newline, the credential
      helper machinery can be fooled to supply credential information
      for the wrong host.  The attack has been made impossible by
      forbidding a newline character in any value passed via the
      credential protocol.

      Thanks to Felix Wilhelm of Google Project Zero for finding
      this vulnerability and Jeff King for fixing it.

git (1:2.26.0-2) unstable; urgency=low

  * fixes to the (newly default) rebase --merge backend:
    * honor GIT_REFLOG_ACTION (thx Ian Jackson and Elijah Newren;
      closes: #955152).
    * avoid "nothing to do" error when fast-forwarding a branch with
      rebase.abbreviateCommands=true (thx Jan Alexander Steffens and
      Alban Gruin).
  * debian/control: downgrade Recommends by git-all on git-daemon-run
    to Suggests. The git-all package is a "batteries included" full
    installation of Git. Automatically running a daemon is not useful
    to most of its users.

git (1:2.26.0-1) unstable; urgency=low

  * new upstream release (see RelNotes/2.26.0.txt).

git (1:2.26.0~rc2-1) unstable; urgency=low

  * new upstream release candidate (see RelNotes/2.26.0.txt).

Date: Wed, 20 May 2020 16:48:49 -0700
Changed-By: Steve Langasek <steve.langasek at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/git/1:2.27.0~rc0-1ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 20 May 2020 16:48:49 -0700
Source: git
Architecture: source
Version: 1:2.27.0~rc0-1ubuntu1
Distribution: groovy
Urgency: high
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Steve Langasek <steve.langasek at ubuntu.com>
Closes: 868871 955152
Launchpad-Bugs-Fixed: 1713690
Changes:
 git (1:2.27.0~rc0-1ubuntu1) groovy; urgency=low
 .
   * Merge from Debian unstable.  Remaining changes:
     - Build diff-highlight in the contrib dir (closes: #868871, LP: #1713690)
     - Don't build-depend on subversion on i386, it is not reasonable to
       support on the partial arch.
   * Drop security update patches, included upstream.
 .
 git (1:2.27.0~rc0-1) unstable; urgency=low
 .
   * new upstream release candidate (see RelNotes/2.27.0.txt).
 .
 git (1:2.26.2-1) unstable; urgency=high
 .
   * new upstream point release (see RelNotes/2.26.2.txt).
     * Addresses the security issue CVE-2020-11008.
 .
       With a crafted URL that contains a newline or empty host, or
       lacks a scheme, the credential helper machinery can be fooled
       into providing credential information that is not appropriate
       for the protocol in use and host being contacted.
 .
       Unlike the vulnerability fixed in 2.26.1, the credentials are
       not for a host of the attacker's choosing.  Instead, they are
       for an unspecified host, based on how the configured
       credential helper handles an absent "host" parameter.
 .
       The attack has been made impossible by refusing to work with
       underspecified credential patterns.
 .
       Thanks to Carlo Arenas for reporting that Git was still
       vulnerable, Felix Wilhelm for providing the proof of concept
       demonstrating this issue, and Jeff King for promptly providing
       a corrected fix.
 .
       Tested using the proof of concept at
       https://crbug.com/project-zero/2021.
 .
 git (1:2.26.1-1) unstable; urgency=high
 .
   * new upstream point release (see RelNotes/2.26.1.txt).
     * Addresses the security issue CVE-2020-5260.
 .
       With a crafted URL that contains a newline, the credential
       helper machinery can be fooled to supply credential information
       for the wrong host.  The attack has been made impossible by
       forbidding a newline character in any value passed via the
       credential protocol.
 .
       Thanks to Felix Wilhelm of Google Project Zero for finding
       this vulnerability and Jeff King for fixing it.
 .
 git (1:2.26.0-2) unstable; urgency=low
 .
   * fixes to the (newly default) rebase --merge backend:
     * honor GIT_REFLOG_ACTION (thx Ian Jackson and Elijah Newren;
       closes: #955152).
     * avoid "nothing to do" error when fast-forwarding a branch with
       rebase.abbreviateCommands=true (thx Jan Alexander Steffens and
       Alban Gruin).
   * debian/control: downgrade Recommends by git-all on git-daemon-run
     to Suggests. The git-all package is a "batteries included" full
     installation of Git. Automatically running a daemon is not useful
     to most of its users.
 .
 git (1:2.26.0-1) unstable; urgency=low
 .
   * new upstream release (see RelNotes/2.26.0.txt).
 .
 git (1:2.26.0~rc2-1) unstable; urgency=low
 .
   * new upstream release candidate (see RelNotes/2.26.0.txt).
Checksums-Sha1:
 1d3e6c13aa39753d967735ecb3edb8fa0b1582ed 3019 git_2.27.0~rc0-1ubuntu1.dsc
 54d69868920ac5391980608d456de0e28a5cee42 6054064 git_2.27.0~rc0.orig.tar.xz
 86c68fb998084c1020588e54aba1f39843e190d0 652004 git_2.27.0~rc0-1ubuntu1.debian.tar.xz
 2c5fcd58f14da060b76cd735d98313200f2f18b7 7344 git_2.27.0~rc0-1ubuntu1_source.buildinfo
Checksums-Sha256:
 0f18f57ddced1b3949656af72dd86729195c93634f1b4b9cbf9f20f9e7c77400 3019 git_2.27.0~rc0-1ubuntu1.dsc
 b5680b932d884bf07e00ac813bcf95c2577405024bc540b272ff27183c9a950e 6054064 git_2.27.0~rc0.orig.tar.xz
 ddbbf243f0340d67084f2b257bc016a934c666ade0e41243ade6028b2c4954a6 652004 git_2.27.0~rc0-1ubuntu1.debian.tar.xz
 984fe7ba0bd98544c949a6c53bba60c9a7df9b5f64a07d2adfce8624d29ce43f 7344 git_2.27.0~rc0-1ubuntu1_source.buildinfo
Files:
 eed289bd728d64c3cdc9e3c83f0a4fbc 3019 vcs optional git_2.27.0~rc0-1ubuntu1.dsc
 53ba7b7fc51a8a30fbcad61f576bc889 6054064 vcs optional git_2.27.0~rc0.orig.tar.xz
 04e17261fcdf04cfeeb2bd4d423540e8 652004 vcs optional git_2.27.0~rc0-1ubuntu1.debian.tar.xz
 a9ea164f56c82c906b50a5e4df1c3adc 7344 vcs optional git_2.27.0~rc0-1ubuntu1_source.buildinfo
Original-Maintainer: Jonathan Nieder <jrnieder at gmail.com>

-----BEGIN PGP SIGNATURE-----

iQJOBAEBCgA4FiEErEg/aN5yj0PyIC/KVo0w8yGyEz0FAl7FxcwaHHN0ZXZlLmxh
bmdhc2VrQHVidW50dS5jb20ACgkQVo0w8yGyEz2jwQ//fwBXM2bO53A5PPHbMk99
P5A1XN6T5LXGrES3yniAvnCidGvcW01VUoc+UoNU1oAwJGNGwK/HeMhIXeeXsiUd
YvxyNnfyMPSGzKS//JrcYZweJc2Im6S/iB7HqMvBrtfsmO6KbD6+B2K0bWHASSB9
j/E+Rf2VdqEAbPW7n9qz0q+zZqAsNhzw2IntHAgraNJQSiND19371Y3lkZw+Phgu
Yqi+YJ+wUTY9DwlxYoUC3aZTATLXXnXBJ1f3L9oqHWxrmgNPAmpCwwgwdXqY33D3
u2CxfguAGsuKUahS93sutBtbV+DIlqEFE2mS0bC88SecvhzLpLa7SJ9Gn5cchbLs
R48o/gb7jGLF2IPK1+JE26gKKnhF3zHE+dj+99gPy7aUqBsMoHZFvFKeOJHFc1sV
fm8EahDsdZtY3pvZbo8I1kF1CHU3FeSd9MVLUprqjEgRwXvM3tM73T+bjd5ci0yY
z6IHDjaP48Vie9nvliZa4SyyvvpUitKI6Gt/l4UmrZ/fLKRijRGmAndRbL+pirYP
DQYNYBj/m7/H015lpLkC6PbxR2lAeiojUkTwOy6tq7xXE+36aZ34rrZv2lHBbPcS
did6Uaf1TztBm40OPAdbV447vzBB2OemnUg3LwSdbPZGro5i3ohEnY2N670YyuBM
sJJEQ2EG+jmDXTNqUaGSEYg=
=2Ef3
-----END PGP SIGNATURE-----


More information about the Groovy-changes mailing list