update to 2.34.3 (#2073414 , CVE-2022-24765)

Per the upstream release notes from 2.30.3¹: This release addresses the security issue CVE-2022-24765. * CVE-2022-24765: On multi-user machines, Git users might find themselves unexpectedly in a Git worktree, e.g. when another user created a repository in `C:\.git`, in a mounted network drive or in a scratch space. Merely having a Git-aware prompt that runs `git status` (or `git diff`) and navigating to a directory which is supposedly not a Git worktree, or opening such a directory in an editor or IDE such as VS Code or Atom, will potentially run commands defined by that other user. and 2.30.4²: This release contains minor fix-ups for the changes that went into Git 2.30.3, which was made to address CVE-2022-24765. * The code that was meant to parse the new `safe.directory` configuration variable was not checking what configuration variable was being fed to it, which has been corrected. * '*' can be used as the value for the `safe.directory` variable to signal that the user considers that any directory is safe. ¹ https://github.com/git/git/raw/v2.30.3/Documentation/RelNotes/2.30.3.txt ² https://github.com/git/git/raw/v2.30.4/Documentation/RelNotes/2.30.4.txt
Merge branch 'rawhide' into f34
2022-04-18 15:00:52 -04:00 · 2022-01-02 13:18:25 -05:00 · 2021-04-27 15:20:22 -04:00 · 2021-03-27 11:19:59 -04:00 · 2021-03-09 14:06:18 -05:00
2 changed files with 8 additions and 11 deletions
--- a/git.spec
+++ b/git.spec
@ -79,7 +79,7 @@
 #global rcrev   .rc0

 Name:           git
-Version:        2.34.1
+Version:        2.34.3
 Release:        1%{?rcrev}%{?dist}
 Summary:        Fast Version Control System
 License:        GPLv2
@ -1008,6 +1008,9 @@ rmdir --ignore-fail-on-non-empty "$testdir"
 %{?with_docs:%{_pkgdocdir}/git-svn.html}

 %changelog
+* Mon Apr 18 2022 Todd Zullinger <tmz@pobox.com> - 2.34.3-1
+- update to 2.34.3 (#2073414, CVE-2022-24765)
+
 * Thu Nov 25 2021 Todd Zullinger <tmz@pobox.com> - 2.34.1-1
 - update to 2.34.1
 - fix gpgsm issues with gnupg-2.3
@ -1087,14 +1090,8 @@ rmdir --ignore-fail-on-non-empty "$testdir"
 * Mon Mar 15 2021 Todd Zullinger <tmz@pobox.com> - 2.31.0-1
 - update to 2.31.0

-* Tue Mar 09 2021 Todd Zullinger <tmz@pobox.com> - 2.31.0-0.2.rc2
- update to 2.31.0-rc2
-
-* Wed Mar 03 2021 Todd Zullinger <tmz@pobox.com> - 2.31.0-0.1.rc1
- update to 2.31.0-rc1
-
-* Tue Mar 02 2021 Todd Zullinger <tmz@pobox.com> - 2.31.0-0.0.rc0
- update to 2.31.0-rc0
+* Tue Mar 09 2021 Todd Zullinger <tmz@pobox.com> - 2.30.2-1
+- update to 2.30.2 (CVE-2021-21300)

 * Tue Mar 02 2021 Todd Zullinger <tmz@pobox.com> - 2.30.1-3
 - use %%{gpgverify} macro to verify tarball signature
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (git-2.34.1.tar.xz) = a1a8e9e6f64b1da25508fbd2f783564dcdbe181fb5ff1ebab3bdac6db6094e18acc334479a1abf22ac17ce4f733cc3e10a664db9ab234cd523735a3f027b42db
-SHA512 (git-2.34.1.tar.sign) = a1111276e18da1a7b360e3ed3b8460034ea413b116482b0b66342f8873a9dd02a90f3f5bc7ad1e4b3c7f39ed55926a8155064b849e6e6bdf9478cb85b93f10b5
+SHA512 (git-2.34.3.tar.xz) = 6bf06b11257bdea48bf37e83c16a805a603c3712c08bd771fb08e09c4d26b53e949249ebbf5e6a58b36a16e2defd1ac09c54312669bd4a5a7d48efb4ec15f59a
+SHA512 (git-2.34.3.tar.sign) = 618501c751380c0e918ff6cb8d2ab40ebb95666c28f299916b1b89782b9c3028d1d87e7a0e4f8bb71b7e5488c3bd0c6528f93eeb3e04b42d922dd9d4ee420902
Author	SHA1	Message	Date
Todd Zullinger	d90a306a79	update to 2.34.3 (#2073414 , CVE-2022-24765) Per the upstream release notes from 2.30.3¹: This release addresses the security issue CVE-2022-24765. * CVE-2022-24765: On multi-user machines, Git users might find themselves unexpectedly in a Git worktree, e.g. when another user created a repository in `C:\.git`, in a mounted network drive or in a scratch space. Merely having a Git-aware prompt that runs `git status` (or `git diff`) and navigating to a directory which is supposedly not a Git worktree, or opening such a directory in an editor or IDE such as VS Code or Atom, will potentially run commands defined by that other user. and 2.30.4²: This release contains minor fix-ups for the changes that went into Git 2.30.3, which was made to address CVE-2022-24765. * The code that was meant to parse the new `safe.directory` configuration variable was not checking what configuration variable was being fed to it, which has been corrected. * '*' can be used as the value for the `safe.directory` variable to signal that the user considers that any directory is safe. ¹ https://github.com/git/git/raw/v2.30.3/Documentation/RelNotes/2.30.3.txt ² https://github.com/git/git/raw/v2.30.4/Documentation/RelNotes/2.30.4.txt	2022-04-18 15:00:52 -04:00
Todd Zullinger	210f1bc5ba	Merge branch 'rawhide' into f34	2022-01-02 13:18:25 -05:00
Todd Zullinger	5015d9fa15	Merge branch 'rawhide' into f34	2021-04-27 15:20:22 -04:00
Todd Zullinger	be5cd56333	Merge branch 'rawhide' into f34	2021-03-27 11:19:59 -04:00
Todd Zullinger	6eb7905679	update to 2.30.2 This release includes a fix for CVE-2021-21300¹. Release notes: https://github.com/git/git/raw/v2.30.2/Documentation/RelNotes/2.30.2.txt ¹ Per the 2.17.6 release notes on CVE-2021-21300: On case-insensitive file systems with support for symbolic links, if Git is configured globally to apply delay-capable clean/smudge filters (such as Git LFS), Git could be fooled into running remote code during a clone.	2021-03-09 14:06:18 -05:00