Accepted git 1:2.38.1-1 (source) into unstable
- To: debian-devel-changes@lists.debian.org
- Subject: Accepted git 1:2.38.1-1 (source) into unstable
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Tue, 01 Nov 2022 02:34:48 +0000
- Debian: DAK
- Debian-architecture: source
- Debian-archive-action: accept
- Debian-changes: git_2.38.1-1_source.changes
- Debian-source: git
- Debian-suite: unstable
- Debian-version: 1:2.38.1-1
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.fasolo; h=Date:Message-Id: Content-Transfer-Encoding:Content-Type:Subject:MIME-Version:To:Reply-To:From: Cc:Content-ID:Content-Description:In-Reply-To:References; bh=AXfQSpnQ/NviQjSPsNlZ1z8333+cr4HqQj3qlBt2Fyo=; b=d7l/bOZ6u3v65xjKbFmppcJHyS 6B70KumcbqY3QRJ1YxLWGem5F3OpeDQoZtJK+wkeSqXt2YX3K35sx+hs8EHSU1Fav6R1azFh4VpR6 4M7DSwzHemn63TVOaMdRRhXnRX4Y28XZq6vNM445gswoVF9udT3lY5Jl04OKxYuSbbcnYkNFm+UKo XQ8gdLGf7eAYobLXwPmlNLmN59BRjoeqAMs/ko7T545TwhM39VqT4+ceodL6Z5o/THjxZJ/hXWIm3 crtlJ0/+FdJTYjf4asXdFig47r9lvx8t4dHUdt71R+6rRabTZPutIeC+ojtl9pC04MoI0TyD6mAgB 65jVUcvQ==;
- Mail-followup-to: debian-devel@lists.debian.org
- Message-id: <E1oph72-00ByAO-T3@fasolo.debian.org>
- Reply-to: debian-devel@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 31 Oct 2022 18:32:00 -0700
Source: git
Architecture: source
Version: 1:2.38.1-1
Distribution: unstable
Urgency: medium
Maintainer: Jonathan Nieder <jrnieder@gmail.com>
Changed-By: Jonathan Nieder <jrnieder@gmail.com>
Closes: 1022046
Changes:
git (1:2.38.1-1) unstable; urgency=medium
.
* new upstream release (closes: #1022046; see RelNotes/2.38.0.txt,
RelNotes/2.38.1.txt).
* Addresses the security issue CVE-2022-39253: cloning an
attacker-controlled local repository could store arbitrary files
in the ".git" directory of the destination repository.
.
Thanks to Cory Snider of Mirantis for reporting this
vulnerability and Taylor Blau for the mitigation.
.
* Addresses CVE-2022-39260: a long command string passed to a `git
shell` configured to support custom commands could overflow and
run arbitrary code.
.
Thanks to Kevin Backhouse of GitHub for reporting this
vulnerability and Kevin Backhouse, Jeff King, and Taylor Blau
for mitigating it.
Checksums-Sha1:
449c41de458306bfdb5c3799304325abedf3c1b4 2825 git_2.38.1-1.dsc
a1886780a89423ddb600e141d44751480eb1413f 7088208 git_2.38.1.orig.tar.xz
488bf4953a4480e6bcbc0f751caede0e2b938cd0 733140 git_2.38.1-1.debian.tar.xz
4ff32dc38d82a5ee5c99a9c3e98de859830a1e00 12288 git_2.38.1-1_amd64.buildinfo
Checksums-Sha256:
500be7ab00360288196aaf434efcc15e733e90dfb02157483e48196a8d56fe89 2825 git_2.38.1-1.dsc
97ddf8ea58a2b9e0fbc2508e245028ca75911bd38d1551616b148c1aa5740ad9 7088208 git_2.38.1.orig.tar.xz
b2aec5827639f2f939774f457414a6b46f1fce1f014f76a1a48f12a980c3baca 733140 git_2.38.1-1.debian.tar.xz
07d50f78c51a4b7ab5aeb01f35a509a0b612f926c2ec73de495a05f8af80137c 12288 git_2.38.1-1_amd64.buildinfo
Files:
af8a914ca17fccdf2bb81a9ccd0f0e52 2825 vcs optional git_2.38.1-1.dsc
abdafbfb85d205421903a2100c734b17 7088208 vcs optional git_2.38.1.orig.tar.xz
0f6b1dbbd7cf870b4433769c3d72e6a0 733140 vcs optional git_2.38.1-1.debian.tar.xz
ccb61ddd515c72e896217e91166c5652 12288 vcs optional git_2.38.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCAAxFiEEUh5Y8X6W1xKqD/EC38Zx7rMz+iUFAmNge4MTHGpybmllZGVy
QGdtYWlsLmNvbQAKCRDfxnHuszP6JZmhEACXloP5VyGShmkzXieZfdL+SE+8eURk
JQ3Xuh6/Nzm0sdpHBcO1AQqlLoOJ9X/vx1BPZAW+B8j2SGYv96LmshkZebCb/j81
/8jhG+9y6Aip8zFCvHQ+wYqkgg3JTkeDEjNjvNx5tkvZpd8+Hf6Ou1J1nBfhnVTH
f7mceBwaJRoXB77fFDH4ypx3KrHkmJRYQh69PmQbOP/PcFEV9x0K7fjnlzTrmTvP
9vMckRQJjBlE8qPge/f5Pcr9l5JzUaOtnh6nz8jqvERb6F27mczjwajHvr+TuUH6
Hx041mhspnmBiDcsYQoqUA6dsoai5fDuTj4NU9ROzz6I/Tze8tuXaCyjnBJzfxyj
jJU8fXE1sYJ6GYLg55F+Py6SeJLhshXVfqyjxKNxVU7qF97RBfbE1jqFE8EBxYzV
be916Km2zScRqbhjIrbAt7SXYvN6eJZ2FgFp+z4SXytvF8n3LqQFBfWSNQ5Dyt7N
q8VyuTyfEI3FFc+EyWhRKu6k8jrXbTgDYxxPz1i+3k/EMZVbwvE/pjqQ+vljyQg2
K3O2MCyWtfxgwn7eaxv6s/+5O25gQVQQD4qaBX2j94cb3F2fz94fLy6QcKrXlu38
LzlFeRNNLwPp6U1hEGMCOLW4JxlMzKfo4ZR6fi310l4t0A3047vKsZriAxRS+yPE
fUVaUCFp0SwxmQ==
=pgxD
-----END PGP SIGNATURE-----