pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/pkgsrc-2018Q1]: pkgsrc/devel Pullup ticket #5769 - requested by leot



details:   https://anonhg.NetBSD.org/pkgsrc/rev/65a7fbb3b824
branches:  pkgsrc-2018Q1
changeset: 408502:65a7fbb3b824
user:      bsiegert <bsiegert%pkgsrc.org@localhost>
date:      Fri Jun 08 10:39:05 2018 +0000

description:
Pullup ticket #5769 - requested by leot
devel/git: security fix

This was submitted as a manual patch.

---
   git: Update devel/git to 2.16.4

   Changes:
   Git v2.16.4 Release Notes
   =========================
   This release is to forward-port the fixes made in the v2.13.7 version
   of Git.  See its release notes for details.

   [...2.13.7 release notes...:]

    * Submodule "names" come from the untrusted .gitmodules file, but we
      blindly append them to $GIT_DIR/modules to create our on-disk repo
      paths. This means you can do bad things by putting "../" into the
      name. We now enforce some rules for submodule names which will cause
      Git to ignore these malicious names (CVE-2018-11235).

      Credit for finding this vulnerability and the proof of concept from
      which the test script was adapted goes to Etienne Stalmans.

    * It was possible to trick the code that sanity-checks paths on NTFS
      into reading random piece of memory (CVE-2018-11233).

   Credit for fixing for these bugs goes to Jeff King, Johannes
   Schindelin and others.

diffstat:

 devel/git-base/distinfo    |  10 +++++-----
 devel/git/Makefile.version |   4 ++--
 2 files changed, 7 insertions(+), 7 deletions(-)

diffs (31 lines):

diff -r 89748df30e23 -r 65a7fbb3b824 devel/git-base/distinfo
--- a/devel/git-base/distinfo   Fri Jun 08 10:07:08 2018 +0000
+++ b/devel/git-base/distinfo   Fri Jun 08 10:39:05 2018 +0000
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.78 2018/03/24 08:09:40 adam Exp $
+$NetBSD: distinfo,v 1.78.2.1 2018/06/08 10:39:05 bsiegert Exp $
 
-SHA1 (git-2.16.3.tar.xz) = e54fbd04232e8b949764b414c46aea73cca16af0
-RMD160 (git-2.16.3.tar.xz) = 65229a65b041dc7cf0ee028b79f60f0eb424c1db
-SHA512 (git-2.16.3.tar.xz) = 73520cf3500b2d13b77eb1e5ec0d60263aad07732d25631732f0d986abd023f97b8a6db4abff64d342cb053018289b5f7a3e32f10b86bd9092a37ee0585adc8a
-Size (git-2.16.3.tar.xz) = 4966248 bytes
+SHA1 (git-2.16.4.tar.xz) = de89995ea1551755f41ca621a375b6ad42264421
+RMD160 (git-2.16.4.tar.xz) = aa3c1ec4090d0c4d75946ad5b49cd2fd530fe1b0
+SHA512 (git-2.16.4.tar.xz) = f54e431e78289349dcb927ec34873dfb801c49a41cbb3d0138346d603af26bd7d86f9ac95e7a61a4831017f3503f33374510ccf68b0e62b0691fc5a43283f1ac
+Size (git-2.16.4.tar.xz) = 4968252 bytes
 SHA1 (patch-aa) = a58f3c2f45c1fbafd751d10b9ef34e6c9afc2c6f
 SHA1 (patch-ac) = e5d2112d158fe493a89b244a10d2e4b998a23d98
 SHA1 (patch-ae) = 9bc2e6c7f0a8fbc385b6ffda638d3245a62dc5ca
diff -r 89748df30e23 -r 65a7fbb3b824 devel/git/Makefile.version
--- a/devel/git/Makefile.version        Fri Jun 08 10:07:08 2018 +0000
+++ b/devel/git/Makefile.version        Fri Jun 08 10:39:05 2018 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile.version,v 1.69 2018/03/24 08:09:40 adam Exp $
+# $NetBSD: Makefile.version,v 1.69.2.1 2018/06/08 10:39:05 bsiegert Exp $
 #
 # used by devel/git/Makefile.common
 # used by devel/git-cvs/Makefile
 # used by devel/git-svn/Makefile
 
-GIT_VERSION=   2.16.3
+GIT_VERSION=   2.16.4



Home | Main Index | Thread Index | Old Index