With the recent change that drops apr-util-bdb build require, in
favor of httpd, t5540 started failing on tests using git-httpd-push.
This patch sets DavLockDBType to sdbm, fixing these failures.
Move %rcpath definition added d050347 (use tilde versioning for release
candidates, 2023-05-12) after %real_version. Otherwise, it is not
parsed correctly.
(I'm pretty sure it worked in the past, but it certainly doesn't now.)
From the release notes for 2.30.8¹:
* CVE-2023-22490:
Using a specially-crafted repository, Git can be tricked into using
its local clone optimization even when using a non-local transport.
Though Git will abort local clones whose source $GIT_DIR/objects
directory contains symbolic links (c.f., CVE-2022-39253), the objects
directory itself may still be a symbolic link.
These two may be combined to include arbitrary files based on known
paths on the victim's filesystem within the malicious repository's
working copy, allowing for data exfiltration in a similar manner as
CVE-2022-39253.
* CVE-2023-23946:
By feeding a crafted input to "git apply", a path outside the
working tree can be overwritten as the user who is running "git
apply".
* A mismatched type in `attr.c::read_attr_from_index()` which could
cause Git to errantly reject attributes on Windows and 32-bit Linux
has been corrected.
Credit for finding CVE-2023-22490 goes to yvvdwf, and the fix was
developed by Taylor Blau, with additional help from others on the
Git security mailing list.
Credit for finding CVE-2023-23946 goes to Joern Schneeweisz, and the
fix was developed by Patrick Steinhardt.
¹ https://github.com/git/git/raw/v2.39.2/Documentation/RelNotes/2.30.8.txt
The git send-email command uses Email::Valid to check addresses. If
Email::Valid is not present, it falls back to a more basic regex match
(which is not nearly as thorough as the checks Email::Valid performs).
While Fedora (and EPEL 7/8 provide perl-Email-Valid, RHEL does not and
does not wish to add the dependency. Make it easier for RHEL to fork &
sync from us by making the dependency conditional.
References:
https://bugzilla.redhat.com/2020487https://bugzilla.redhat.com/2046203http://public-inbox.org/git/20220620004427.3586240-1-trawets@amazon.com/T/#u4414f61 (add more git-email perl dependencies, 2021-11-13)
