From cf5fe150f251fdbde6af39db8879988c750355a4 Mon Sep 17 00:00:00 2001 From: Todd Zullinger Date: Wed, 18 Mar 2020 03:14:25 -0400 Subject: [PATCH 1/3] update to 2.25.2 https://www.kernel.org/pub/software/scm/git/docs/RelNotes/2.25.2.txt --- git.spec | 7 +++++-- sources | 4 ++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/git.spec b/git.spec index 320265a..25f2170 100644 --- a/git.spec +++ b/git.spec @@ -82,8 +82,8 @@ #global rcrev .rc0 Name: git -Version: 2.25.1 -Release: 2%{?rcrev}%{?dist} +Version: 2.25.2 +Release: 1%{?rcrev}%{?dist} Summary: Fast Version Control System License: GPLv2 URL: https://git-scm.com/ @@ -1028,6 +1028,9 @@ rmdir --ignore-fail-on-non-empty "$testdir" %{?with_docs:%{_pkgdocdir}/git-svn.html} %changelog +* Wed Mar 18 2020 Todd Zullinger - 2.25.2-1 +- update to 2.25.2 + * Wed Feb 19 2020 Todd Zullinger - 2.25.1-2 - split libsecret credential helper into a subpackage (#1804741) - consolidate macros for Fedora/EPEL diff --git a/sources b/sources index 3717187..f1ca132 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (git-2.25.1.tar.xz) = 15241143acfd8542d85d2709ac3c80dbd6e8d5234438f70c4f33cc71a2bdec3e32938df7f6351e2746d570b021d3bd0b70474ea4beec0c51d1fc45f9c287b344 -SHA512 (git-2.25.1.tar.sign) = 29a4fd59227d74b233416fa17ce184c0f57d824fdfc4554e37aa9dd06176fdfa0e7cbade77c661d5d9aa1e62d206f7f4816a690984845baa3ca691069de65a6b +SHA512 (git-2.25.2.tar.xz) = 5f24bb060165a7397286588cfa32a3e77a98059058363699f7873a2efbb77419dc8985a9b8ae05166035e24db586c379b55c7049a5b6a436c554a7f621a51a23 +SHA512 (git-2.25.2.tar.sign) = a643feec045c41e3ed563d007e7f02e0421a09713c4d663e21d8615e21a4973f93d3faf35a9421ebae2fe9f3ef08d66f25167ce0a2331ae50ededbcc2b665bd7 From f558090b91520f4c3e4088c73c2fd30a3045090e Mon Sep 17 00:00:00 2001 From: Todd Zullinger Date: Tue, 14 Apr 2020 17:51:26 -0400 Subject: [PATCH 2/3] update to 2.25.3 (CVE-2020-5260) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From the upstream release notes¹: With a crafted URL that contains a newline in it, the credential helper machinery can be fooled to give credential information for a wrong host. The attack has been made impossible by forbidding a newline character in any value passed via the credential protocol. ¹ https://www.kernel.org/pub/software/scm/git/docs/RelNotes/2.17.4.txt --- git.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/git.spec b/git.spec index 25f2170..887e49f 100644 --- a/git.spec +++ b/git.spec @@ -82,7 +82,7 @@ #global rcrev .rc0 Name: git -Version: 2.25.2 +Version: 2.25.3 Release: 1%{?rcrev}%{?dist} Summary: Fast Version Control System License: GPLv2 @@ -1028,6 +1028,9 @@ rmdir --ignore-fail-on-non-empty "$testdir" %{?with_docs:%{_pkgdocdir}/git-svn.html} %changelog +* Tue Apr 14 2020 Todd Zullinger - 2.25.3-1 +- update to 2.25.3 (CVE-2020-5260) + * Wed Mar 18 2020 Todd Zullinger - 2.25.2-1 - update to 2.25.2 diff --git a/sources b/sources index f1ca132..aa2bdbe 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (git-2.25.2.tar.xz) = 5f24bb060165a7397286588cfa32a3e77a98059058363699f7873a2efbb77419dc8985a9b8ae05166035e24db586c379b55c7049a5b6a436c554a7f621a51a23 -SHA512 (git-2.25.2.tar.sign) = a643feec045c41e3ed563d007e7f02e0421a09713c4d663e21d8615e21a4973f93d3faf35a9421ebae2fe9f3ef08d66f25167ce0a2331ae50ededbcc2b665bd7 +SHA512 (git-2.25.3.tar.xz) = 1ea2f0727baa29200f33469463c3b6db04a2e228e83ff552faa47fefe31063d92966d7502b2f13546c36cfc2756d42d71a26e41141c0fb972af9d6760f3aa471 +SHA512 (git-2.25.3.tar.sign) = 4fd58605192c3528ec2d8dac6fde830ec53e9196eb7c552c1add919ece9f8590a6412e272eca9bc3aa7d9b92d88fb089c33ac1bf758322aa812ff4d564938f12 From 86dce7281ce0dec0a05dbc7aa89f46f29c9d35c8 Mon Sep 17 00:00:00 2001 From: Todd Zullinger Date: Mon, 20 Apr 2020 15:04:05 -0400 Subject: [PATCH 3/3] update to 2.25.4 (CVE-2020-11008) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From the upstream release notes¹: With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the credentials are not for a host of the attacker's choosing; instead, they are for some unspecified host (based on how the configured credential helper handles an absent "host" parameter). The attack has been made impossible by refusing to work with under-specified credential patterns. ¹ https://www.kernel.org/pub/software/scm/git/docs/RelNotes/2.17.5.txt --- git.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/git.spec b/git.spec index 887e49f..7a65ce7 100644 --- a/git.spec +++ b/git.spec @@ -82,7 +82,7 @@ #global rcrev .rc0 Name: git -Version: 2.25.3 +Version: 2.25.4 Release: 1%{?rcrev}%{?dist} Summary: Fast Version Control System License: GPLv2 @@ -1028,6 +1028,9 @@ rmdir --ignore-fail-on-non-empty "$testdir" %{?with_docs:%{_pkgdocdir}/git-svn.html} %changelog +* Mon Apr 20 2020 Todd Zullinger - 2.25.4-1 +- update to 2.25.3 (CVE-2020-11008) + * Tue Apr 14 2020 Todd Zullinger - 2.25.3-1 - update to 2.25.3 (CVE-2020-5260) diff --git a/sources b/sources index aa2bdbe..4236e42 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (git-2.25.3.tar.xz) = 1ea2f0727baa29200f33469463c3b6db04a2e228e83ff552faa47fefe31063d92966d7502b2f13546c36cfc2756d42d71a26e41141c0fb972af9d6760f3aa471 -SHA512 (git-2.25.3.tar.sign) = 4fd58605192c3528ec2d8dac6fde830ec53e9196eb7c552c1add919ece9f8590a6412e272eca9bc3aa7d9b92d88fb089c33ac1bf758322aa812ff4d564938f12 +SHA512 (git-2.25.4.tar.xz) = ca2ecc561d06dbb393fe47d445f0d69423d114766d9bcc125ef1d6d37e350ad903c456540cea420c1a51635b750cde3901e4196f29ce95b315fda11270173450 +SHA512 (git-2.25.4.tar.sign) = 069a20b8711a4b46aebc49a5237982bc205581c81256edc9b142ca067354faaa7eb12f873e8ca0001cc647db12724ddc968167e66cdbf9fca6093ea596484410