git (1:2.43.0-1ubuntu7.3) noble-security; urgency=medium
* SECURITY UPDATE: Code execution and file manipulation when cloning
malicious repositories.
- debian/patches/CVE-2025-27613.patch: Add argument sanitizing and replace
command instances with safe versions in gitk-git/gitk.
- debian/patches/CVE-2025-27614.patch: Remove escape_filter_paths and wrap
concat instances with list in gitk-git/gitk.
- CVE-2025-27613
- CVE-2025-27614
* SECURITY UPDATE: File overwrite when editing a file in a malicious
directory in an untrusted repository.
- debian/patches/CVE-2025-46835-pre1.patch: Remove windows specific code
in git-gui/git-gui.sh.
- debian/patches/CVE-2025-46835.patch: Add argument sanitizing, replace
command instances with safe versions, and wrap instances with list in
git-gui/git-gui.sh and other files in git-gui directory.
- CVE-2025-46835
* SECURITY UPDATE: Unintentional script execution due to improperly stripped
carriage return.
- debian/patches/CVE-2025-48384.patch: Add carriage return checks in
config.c.
- CVE-2025-48384
* SECURITY UPDATE: Protocol injection potentially leading to arbitrary code
execution.
- debian/patches/CVE-2025-48385.patch: Add URI and filename checks in
bundle-uri.c.
- CVE-2025-48385
* SECURITY UPDATE: Buffer overflow.
- debian/patches/CVE-2025-48386.patch: Add target_append function and
change wcsncat calls to target_append in
contrib/credential/wincred/git-credential-wincred.c.
- CVE-2025-48386
-- Hlib Korzhynskyy <hlib.korzhynskyy@canonical.com> Wed, 02 Jul 2025 17:53:42 -0230
git (1:2.43.0-1ubuntu7.2) noble-security; urgency=medium
* SECURITY UPDATE: crafted URL susceptibility
- debian/patches/CVE-2024-50349-1.patch: sanitize credentials
in credential.c, strbuf.c, strbuf.h,
t/t0300-credentials.sh.
- debian/patches/CVE-2024-50349-2.patch: credential sanitize
the user prompt in credential.c, credential.h,
t/t0300-credentials.sh, t/t5541-http-push-smart.sh,
t/t5550-http-fetch-dumb.sh, t/t5551-http-fetch-smart.sh.
- CVE-2024-50349
* SECURITY UPDATE: Git may pass on Carriage Returns
- debian/patches/CVE-2024-52006.patch: disallow carriage
returns in the protocol by default in credential.c,
credential.h, t/t0300-credentials.sh.
- CVE-2024-52006
-- Leonidas Da Silva Barbosa <leo.barbosa@canonical.com> Mon, 13 Jan 2025 16:51:26 -0300
git (1:2.43.0-1ubuntu7.1) noble-security; urgency=medium
* SECURITY UPDATE: Facilitation of arbitrary code execution
- debian/patches/CVE-2024-32002.patch: submodule paths
must not contains symlinks in builtin/submodule--helper.c.
- CVE-2024-32002
* SECURITY UPDATE: Arbitrary code execution
- debian/patches/CVE-2024-32004.patch: detect dubious ownership of
local repositories in path.c, setup.c, setup.h.
- CVE-2024-32004
* SECURITY UPDATE: Overwrite of possible malicious hardlink
- debian/patches/CVE-2024-32020.patch: refuse clones of unsafe
repositories in builtin/clonse.c, t0033-safe-directory.sh.
- CVE-2024-32020
* SECURITY UPDATE: Unauthenticated attacker to place a repository
on their target's local system that contains symlinks
- debian/patches/CVE-2024-32021.patch: abort when hardlinked source and
target file differ in builtin/clone.c
- CVE-2024-32021
* SECURITY UPDATE: Arbitrary code execution
- debian/patches/CVE-2024-32465.patch: disable lazy-fetching by default
in builtin/upload-pack.c, promisor-remote.c
- CVE-2024-32465
-- Leonidas Da Silva Barbosa <leo.barbosa@canonical.com> Mon, 20 May 2024 08:15:04 -0300
git (1:2.43.0-1ubuntu7) noble; urgency=high
* No change rebuild against libcurl3t64-gnutls.
-- Julian Andres Klode <juliank@ubuntu.com> Mon, 08 Apr 2024 16:39:51 +0200
git (1:2.43.0-1ubuntu6) noble; urgency=medium
* No-change rebuild for CVE-2024-3094
-- Steve Langasek <steve.langasek@ubuntu.com> Sun, 31 Mar 2024 00:07:01 +0000
git (1:2.43.0-1ubuntu5) noble; urgency=medium
* Run tests again.
-- Matthias Klose <doko@ubuntu.com> Sat, 16 Mar 2024 13:18:21 +0100
git (1:2.43.0-1ubuntu3) noble; urgency=medium
* Don't run tests for a first build against libcurl3t64-gnutls.
-- Matthias Klose <doko@ubuntu.com> Sat, 16 Mar 2024 13:17:23 +0100
git (1:2.43.0-1ubuntu2) noble; urgency=medium
* No-change rebuild against libcurl3t64-gnutls
-- Steve Langasek <steve.langasek@ubuntu.com> Sat, 16 Mar 2024 06:55:53 +0000
git (1:2.43.0-1ubuntu1) noble; urgency=medium
* Merge from Debian Unstable. Remaining changes:
- Build diff-highlight in the contrib dir
- Don't build-depend on subversion on i386, it is not reasonable to
support on the partial arch.
-- Simon Quigley <tsimonq2@ubuntu.com> Tue, 28 Nov 2023 10:42:23 -0600
git (1:2.43.0-1) unstable; urgency=low
* new upstream release (see RelNotes/2.43.0.txt).
-- Jonathan Nieder <jrnieder@gmail.com> Sun, 26 Nov 2023 17:32:42 -0800
git (1:2.42.0-1ubuntu1) noble; urgency=medium
* Merge from Debian unstable. Remaining changes:
- Build diff-highlight in the contrib dir
- Don't build-depend on subversion on i386, it is not reasonable to
support on the partial arch.
-- Steve Langasek <steve.langasek@ubuntu.com> Sun, 19 Nov 2023 21:12:39 -0800
git (1:2.42.0-1) unstable; urgency=low
* new upstream release (see RelNotes/2.41.0.txt, RelNotes/2.42.0.txt).
-- Jonathan Nieder <jrnieder@gmail.com> Wed, 27 Sep 2023 09:55:42 -0700
git (1:2.40.1-1ubuntu1) mantic; urgency=low
* Merge from Debian unstable. Remaining changes:
- Build diff-highlight in the contrib dir
- Don't build-depend on subversion on i386, it is not reasonable to
support on the partial arch.
* Dropped changes, included upstream:
- debian/patches/CVE-2023_25652_25815_29007/0022-*.patch: apply
--reject overwriting existing .rej symlink if it exists in apply.c,
t/t4115-apply-symlink.sh.
- debian/patches/CVE-2023_25652_25815_29007/0024-*patch:
avoid using gettext if the locale dir is not present in
gettext.c.
- debian/patches/CVE-2023_25652_25815_29007/0025-*.patch: avoid
fixed-sized buffer when renaming/deleting a section in config.c,
t/t1300-config.sh.
- debian/patches/CVE-2023_25652_25815_29007/0026-*.patch: avoid
integer truncation in copy_or_rename_section_in_file() in config.c.
- debian/patches/CVE-2023_25652_25815_29007/0027-*.patch: disallow
overly-long lines in copy_or_rename_section_in_file in config.c.
-- Steve Langasek <steve.langasek@ubuntu.com> Thu, 18 May 2023 10:40:53 -0700
git (1:2.40.1-1) unstable; urgency=medium
* new upstream point release (see RelNotes/2.40.1.txt; addresses
CVE-2023-25652, CVE-2023-25815 CVE-2023-29007).
-- Jonathan Nieder <jrnieder@gmail.com> Tue, 25 Apr 2023 10:16:34 -0700
git (1:2.40.0-1) unstable; urgency=low
* new upstream release (see RelNotes/2.40.0.txt).
* debian/git-doc.doc-base.{git-index-format,git-pack-format,git-protocol}:
remove from documentation index, as the main git(1) reference
manual is the main entry point to find these.
-- Jonathan Nieder <jrnieder@gmail.com> Mon, 20 Mar 2023 16:50:00 -0700
git (1:2.39.2-1.1) unstable; urgency=medium
* Non-maintainer upload (only changes to git-doc).
* Correct paths in git-doc doc-base control files (Closes: #1023255)
-- Matthew Vernon <matthew@debian.org> Tue, 28 Feb 2023 09:25:32 +0000
git (1:2.39.2-1ubuntu1.1) lunar-security; urgency=medium
* SECURITY UPDATE: Overwriting path
- debian/patches/CVE-2023_25652_25815_29007/0022-*.patch: apply
--reject overwriting existing .rej symlink if it exists in apply.c,
t/t4115-apply-symlink.sh.
- CVE-2023-25652
* SECURITY UPDATE: Malicious placement of crafted messages
- debian/patches/CVE-2023_25652_25815_29007/0024-*patch:
avoid using gettext if the locale dir is not present in
gettext.c.
- CVE-2023-25815
* SECURITY UPDATE: Arbitrary configuration injection
- debian/patches/CVE-2023_25652_25815_29007/0025-*.patch: avoid
fixed-sized buffer when renaming/deleting a section in config.c,
t/t1300-config.sh.
- debian/patches/CVE-2023_25652_25815_29007/0026-*.patch: avoid
integer truncation in copy_or_rename_section_in_file() in config.c.
- debian/patches/CVE-2023_25652_25815_29007/0027-*.patch: disallow
overly-long lines in copy_or_rename_section_in_file in config.c.
- CVE-2023-29007
-- Leonidas Da Silva Barbosa <leo.barbosa@canonical.com> Mon, 24 Apr 2023 13:01:23 -0300
git (1:2.39.2-1ubuntu1) lunar; urgency=medium
* Merge from Debian Unstable. Remaining changes:
- Build diff-highlight in the contrib dir
- Don't build-depend on subversion on i386, it is not reasonable to
support on the partial arch.
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 17 Feb 2023 10:52:54 -0500
git (1:2.39.2-1) unstable; urgency=medium
* new upstream point release (see RelNotes/2.39.2.txt). Addresses
CVE-2023-22490 and CVE-2023-23946.
-- Jonathan Nieder <jrnieder@gmail.com> Wed, 15 Feb 2023 17:08:12 -0800
git (1:2.39.1-0.1ubuntu1) lunar; urgency=medium
* Merge from Debian Unstable. Remaining changes:
- Build diff-highlight in the contrib dir
- Don't build-depend on subversion on i386, it is not reasonable to
support on the partial arch.
-- Simon Quigley <tsimonq2@ubuntu.com> Sat, 11 Feb 2023 14:55:51 -0600
git (1:2.39.1-0.1) unstable; urgency=medium
* Non-maintainer upload.
* New upstream stable release (Closes: #1029114)
Fixes CVE-2022-23521 and CVE-2022-41903.
-- Aron Xu <aron@debian.org> Thu, 26 Jan 2023 13:43:04 +0800
git (1:2.39.0-1) unstable; urgency=low
* new upstream release (see RelNotes/2.39.0.txt).
-- Jonathan Nieder <jrnieder@gmail.com> Mon, 12 Dec 2022 12:53:44 -0800
git (1:2.38.1-1ubuntu2) lunar; urgency=medium
* d/p/fix-cpuinfo-regexp.patch: fix cpuinfo regexp to accomodate the
way s390x shows it (LP: #1997475)
-- Andreas Hasenack <andreas@canonical.com> Tue, 22 Nov 2022 14:25:40 -0300
git (1:2.38.1-1ubuntu1) lunar; urgency=low
* Merge from Debian unstable. Remaining changes:
- Build diff-highlight in the contrib dir
- Don't build-depend on subversion on i386, it is not reasonable to
support on the partial arch.
-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 07 Nov 2022 15:50:56 -0800
git (1:2.38.1-1) unstable; urgency=medium
* new upstream release (closes: #1022046; see RelNotes/2.38.0.txt,
RelNotes/2.38.1.txt).
* Addresses the security issue CVE-2022-39253: cloning an
attacker-controlled local repository could store arbitrary files
in the ".git" directory of the destination repository.
Thanks to Cory Snider of Mirantis for reporting this
vulnerability and Taylor Blau for the mitigation.
* Addresses CVE-2022-39260: a long command string passed to a `git
shell` configured to support custom commands could overflow and
run arbitrary code.
Thanks to Kevin Backhouse of GitHub for reporting this
vulnerability and Kevin Backhouse, Jeff King, and Taylor Blau
for mitigating it.
-- Jonathan Nieder <jrnieder@gmail.com> Mon, 31 Oct 2022 18:32:00 -0700
git (1:2.37.2-1ubuntu1) kinetic; urgency=low
* Merge from Debian unstable. Remaining changes:
- Build diff-highlight in the contrib dir
- Don't build-depend on subversion on i386, it is not reasonable to
support on the partial arch.
* Dropped changes, included upstream:
- debian/patches/CVE-2022-29187-1.patch: adds test to
regression git needs safe.directory when using sudo in
t/t0034-root-safe-directory.sh.
- debian/patches/CVE-2022-29187-2.patch: avoid failing dir ownership
checks if running privileged in git-compat-util.h,
t/t0034-root-safe-directory.sh.
- debian/patches/CVE-2022-29187-3.patch: add negative tests
and allow git init to mostly work under sudo in
t/lib-sudo.sh b/t/lib-sudo.sh.
- debian/patches/CVE-2022-29187-4.patch: allow root
to access both SUDO_UID and root owned in git-compat-util.h,
t/t0034-root-safe-directory.sh.
- debian/patches/CVE-2022-29187-6.patch: tighten ownership checks
post CVE-2022-24765 in setup.c.
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 16 Aug 2022 11:34:06 -0700
git (1:2.37.2-1) unstable; urgency=low
* new upstream release (closes: #1016723; see RelNotes/2.37.0.txt,
RelNotes/2.37.1.txt, RelNotes/2.37.2.txt).
-- Jonathan Nieder <jrnieder@gmail.com> Fri, 12 Aug 2022 19:27:24 -0700
git (1:2.36.1-1ubuntu2) kinetic; urgency=medium
* SECURITY UPDATE: Potential arbitrary code execution
- debian/patches/CVE-2022-29187-1.patch: adds test to
regression git needs safe.directory when using sudo in
t/t0034-root-safe-directory.sh.
- debian/patches/CVE-2022-29187-2.patch: avoid failing dir ownership
checks if running privileged in git-compat-util.h,
t/t0034-root-safe-directory.sh.
- debian/patches/CVE-2022-29187-3.patch: add negative tests
and allow git init to mostly work under sudo in
t/lib-sudo.sh b/t/lib-sudo.sh.
- debian/patches/CVE-2022-29187-4.patch: allow root
to access both SUDO_UID and root owned in git-compat-util.h,
t/t0034-root-safe-directory.sh.
- debian/patches/CVE-2022-29187-6.patch: tighten ownership checks
post CVE-2022-24765 in setup.c.
- CVE-2022-29187
-- Leonidas Da Silva Barbosa <leo.barbosa@canonical.com> Thu, 14 Jul 2022 15:05:33 -0300
git (1:2.36.1-1ubuntu1) kinetic; urgency=low
* Merge from Debian unstable. Remaining changes:
- Build diff-highlight in the contrib dir
- Don't build-depend on subversion on i386, it is not reasonable to
support on the partial arch.
-- Gianfranco Costamagna <locutusofborg@debian.org> Mon, 23 May 2022 12:09:08 +0200
git (1:2.36.1-1) unstable; urgency=low
* new upstream point release (closes: #1010720; see
RelNotes/2.36.1.txt).
-- Jonathan Nieder <jrnieder@gmail.com> Mon, 09 May 2022 12:43:15 -0700
git (1:2.36.0-1) unstable; urgency=low
* new upstream release (see RelNotes/2.36.0.txt).
-- Jonathan Nieder <jrnieder@gmail.com> Fri, 22 Apr 2022 16:43:03 -0700
git (1:2.35.2-1) unstable; urgency=medium
* new upstream point release (see RelNotes/2.35.2.txt).
* Addresses the security issue CVE-2022-24765: Git users might
have found themselves unexpectedly in a Git worktree, e.g. when
another user created a repository in `/tmp/.git`, in a mounted
network drive or in a scratch space. Having a Git-aware prompt
that runs `git status` (or `git diff`) and navigating to a
directory which is supposedly not a Git worktree, or opening
such a directory in an IDE with Git support such as VS Code,
could then run commands specified by that other user.
Thanks to 俞晨东 for discovering this vulnerability and
Johannes Schindelin for the mitigation.
-- Jonathan Nieder <jrnieder@gmail.com> Tue, 12 Apr 2022 21:25:57 -0700
git (1:2.35.1-1) unstable; urgency=low
* new upstream release (see RelNotes/2.35.0.txt, RelNotes/2.35.1.txt).
-- Jonathan Nieder <jrnieder@gmail.com> Mon, 14 Feb 2022 08:24:39 -0800
git (1:2.34.1-1ubuntu1.2) jammy; urgency=medium
* SECURITY REGRESSION: Previous update was incomplete causing regressions
and not correctly fixing the issue.
- debian/patches/CVE-2022-24765-5.patch: fix safe.directory
key not being checked in setup.c.
- debian/patches/CVE-2022-24765-6.patch:
opt-out of check with safe.directory=* in setup.c. (LP: #1970260)
-- Leonidas Da Silva Barbosa <leo.barbosa@canonical.com> Mon, 25 Apr 2022 20:14:03 -0300
git (1:2.34.1-1ubuntu1.1) jammy-security; urgency=medium
* SECURITY UPDATE: Run commands in diff users
- debian/patches/CVE-2022-24765-*.patch: fix GIT_CEILING_DIRECTORIES; add
an owner check for the top-level-directory; add a function to
determine whether a path is owned by the current user in patch.c,
t/t0060-path-utils.sh, setup.c, compat/mingw.c, compat/mingw.h,
git-compat-util.h.
- CVE-2022-24765
-- Leonidas Da Silva Barbosa <leo.barbosa@canonical.com> Fri, 08 Apr 2022 08:43:25 -0300
git (1:2.34.1-1ubuntu1) jammy; urgency=low
* Merge from Debian unstable. Remaining changes:
- Build diff-highlight in the contrib dir
- Don't build-depend on subversion on i386, it is not reasonable to
support on the partial arch.
-- Julian Andres Klode <juliank@ubuntu.com> Mon, 24 Jan 2022 16:50:15 +0100
git (1:2.34.1-1) unstable; urgency=low
* new upstream point release (see RelNotes/2.34.1.txt).
-- Jonathan Nieder <jrnieder@gmail.com> Mon, 29 Nov 2021 11:04:56 -0800
git (1:2.34.0-1) unstable; urgency=low
* new upstream release (see RelNotes/2.34.0.txt).
-- Jonathan Nieder <jrnieder@gmail.com> Sat, 20 Nov 2021 13:14:45 -0800
git (1:2.33.1-1ubuntu1) jammy; urgency=low
[ Ubuntu Merge-o-Matic ]
* Merge from Debian unstable. Remaining changes:
- Build diff-highlight in the contrib dir
- Don't build-depend on subversion on i386, it is not reasonable to
support on the partial arch.
-- Julian Andres Klode <juliank@ubuntu.com> Mon, 15 Nov 2021 11:34:24 +0100
git (1:2.33.1-1) unstable; urgency=low
* new upstream point release (see RelNotes/2.33.1.txt).
-- Jonathan Nieder <jrnieder@gmail.com> Mon, 25 Oct 2021 15:02:19 -0700
git (1:2.33.0-1) unstable; urgency=low
* new upstream release (see RelNotes/2.33.0.txt).
-- Jonathan Nieder <jrnieder@gmail.com> Mon, 16 Aug 2021 17:54:01 -0700
git (1:2.32.0-1ubuntu1) impish; urgency=medium
* Merge with Debian; remaining changes:
- Build diff-highlight in the contrib dir
- Don't build-depend on subversion on i386, it is not reasonable to
support on the partial arch.
-- Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Mon, 09 Aug 2021 14:29:27 +0200
git (1:2.32.0-1) unstable; urgency=low
* new upstream release (see RelNotes/2.32.0.txt).
-- Jonathan Nieder <jrnieder@gmail.com> Sun, 06 Jun 2021 14:34:33 -0700
git (1:2.32.0~rc2-1) unstable; urgency=low
* new upstream release candidate.
* remove git-el package (closes: #987264, #984931). Since version
1:2.18.0~rc2-1, it only contained modules that error out with a
message pointing to other Emacs packages. Nowadays users can
use the README.emacs file from the git package for that instead.
-- Jonathan Nieder <jrnieder@gmail.com> Mon, 31 May 2021 15:02:28 -0700
git (1:2.32.0~rc0-1) unstable; urgency=low
* new upstream release candidate (see RelNotes/2.32.0.txt).
-- Jonathan Nieder <jrnieder@gmail.com> Thu, 20 May 2021 13:20:15 -0700
git (1:2.31.1-1ubuntu1) impish; urgency=medium
* Merge with Debian; remaining changes:
- Build diff-highlight in the contrib dir
- Don't build-depend on subversion on i386, it is not reasonable to
support on the partial arch.
-- Matthias Klose <doko@ubuntu.com> Mon, 17 May 2021 13:12:10 +0200
git (1:2.31.1-1) unstable; urgency=low
* new upstream point release (see RelNotes/2.31.1.txt).
* install dashed commands to /usr/lib again (thx Sven Joachim;
closes: #985416).
-- Jonathan Nieder <jrnieder@gmail.com> Mon, 19 Apr 2021 09:23:57 -0700
git (1:2.31.0-1) unstable; urgency=low
* new upstream release (see RelNotes/2.31.0.txt).
* install dashed commands to /usr/libexec instead of /usr/lib (thx
Chris Lamb for suggesting it through lintian).
* remove compatibility code and NEWS.Debian entries that supported
upgrades from versions before 1.7.9.5 (the version in Ubuntu
12.04, which reached the end of extended security maintenance in
April, 2019).
-- Jonathan Nieder <jrnieder@gmail.com> Mon, 15 Mar 2021 19:32:17 -0700
git (1:2.30.2-1ubuntu1) hirsute; urgency=medium
* Merge with Debian; remaining changes:
- Build diff-highlight in the contrib dir
- Don't build-depend on subversion on i386, it is not reasonable to
support on the partial arch.
-- Matthias Klose <doko@ubuntu.com> Wed, 10 Mar 2021 16:06:22 +0100
git (1:2.30.2-1) unstable; urgency=medium
* new upstream point release (see RelNotes/2.30.2.txt).
-- Jonathan Nieder <jrnieder@gmail.com> Tue, 09 Mar 2021 17:45:38 -0800
git (1:2.30.1-1ubuntu1) hirsute; urgency=medium
* Merge with Debian; remaining changes:
- Build diff-highlight in the contrib dir
- Don't build-depend on subversion on i386, it is not reasonable to
support on the partial arch.
-- Matthias Klose <doko@ubuntu.com> Thu, 04 Mar 2021 12:34:54 +0100
git (1:2.30.1-1) unstable; urgency=low
* new upstream point release (see RelNotes/2.30.1.txt).
-- Jonathan Nieder <jrnieder@gmail.com> Tue, 16 Feb 2021 21:55:22 -0800
git (1:2.30.0-1ubuntu1) hirsute; urgency=low
* Merge from Debian unstable. Remaining changes:
- Build diff-highlight in the contrib dir
- Don't build-depend on subversion on i386, it is not reasonable to
support on the partial arch.
-- Steve Langasek <steve.langasek@ubuntu.com> Wed, 06 Jan 2021 16:47:23 -0800
git (1:2.30.0-1) unstable; urgency=low
* new upstream release (see RelNotes/2.30.0.txt).
-- Jonathan Nieder <jrnieder@gmail.com> Mon, 28 Dec 2020 16:22:30 -0800
git (1:2.30.0~rc2-1) unstable; urgency=low
* new upstream release candidate.
-- Jonathan Nieder <jrnieder@gmail.com> Wed, 23 Dec 2020 15:17:54 -0800
git (1:2.30.0~rc1-1) unstable; urgency=low
* new upstream release candidate (see RelNotes/2.30.0.txt).
-- Jonathan Nieder <jrnieder@gmail.com> Mon, 21 Dec 2020 13:58:04 -0800
git (1:2.29.2-1ubuntu1) hirsute; urgency=low
* Merge from Debian unstable. Remaining changes:
- Build diff-highlight in the contrib dir (closes: #868871, LP: #1713690)
- Don't build-depend on subversion on i386, it is not reasonable to
support on the partial arch.
-- Steve Langasek <steve.langasek@ubuntu.com> Thu, 05 Nov 2020 15:57:05 -0800
git (1:2.29.2-1) unstable; urgency=low
* new upstream point release (see RelNotes/2.29.2.txt).
* debian/copyright: remove unused BSD-2-Clause text. The last part
of Git under that license was removed in v2.29.0.
-- Jonathan Nieder <jrnieder@gmail.com> Mon, 02 Nov 2020 09:33:37 -0800
git (1:2.29.1-1) unstable; urgency=low
* new upstream release (see RelNotes/2.29.0.txt).
* update debian/copyright.
* debian/control: Build-Depends: debhelper-compat (= 10)
* debian/rules: run "dh --without autoreconf" to speed up build,
since we don't use the autotools-generated configure script.
* git-el: install elisp for the "emacs" flavor, too (thx Zack Weinberg;
closes: #972871). Breaks: emacsen-common (<< 3.0.0~) to avoid
triggering on older systems where "emacs" was a virtual package.
-- Jonathan Nieder <jrnieder@gmail.com> Mon, 26 Oct 2020 17:25:55 -0700
git (1:2.28.0-1ubuntu1) hirsute; urgency=low
* Merge from Debian unstable. Remaining changes:
- Build diff-highlight in the contrib dir (closes: #868871, LP: #1713690)
- Don't build-depend on subversion on i386, it is not reasonable to
support on the partial arch.
-- Steve Langasek <steve.langasek@ubuntu.com> Sat, 24 Oct 2020 17:30:59 -0700
git (1:2.28.0-1) unstable; urgency=low
* new upstream release (see RelNotes/2.28.0.txt).
-- Jonathan Nieder <jrnieder@gmail.com> Mon, 27 Jul 2020 11:02:01 -0700
git (1:2.28.0~rc2-1) unstable; urgency=low
* new upstream release candidate.
-- Jonathan Nieder <jrnieder@gmail.com> Wed, 22 Jul 2020 17:36:57 -0700
git (1:2.28.0~rc1-1) unstable; urgency=low
* new upstream release candidate.
-- Jonathan Nieder <jrnieder@gmail.com> Fri, 17 Jul 2020 18:40:53 -0700
git (1:2.28.0~rc0-1) unstable; urgency=low
* new upstream release candidate (see RelNotes/2.28.0.txt).
-- Jonathan Nieder <jrnieder@gmail.com> Mon, 13 Jul 2020 15:03:55 -0700
git (1:2.27.0-1ubuntu1) groovy; urgency=low
* Merge from Debian unstable. Remaining changes:
- Build diff-highlight in the contrib dir (closes: #868871, LP: #1713690)
- Don't build-depend on subversion on i386, it is not reasonable to
support on the partial arch.
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 09 Jun 2020 13:50:43 -0700
git (1:2.27.0-1) unstable; urgency=low
* new upstream release (see RelNotes/2.27.0.txt).
-- Jonathan Nieder <jrnieder@gmail.com> Mon, 01 Jun 2020 10:05:06 -0700
git (1:2.27.0~rc2-1) unstable; urgency=low
* new upstream release candidate (closes: #757402).
-- Jonathan Nieder <jrnieder@gmail.com> Tue, 26 May 2020 14:27:25 -0700
git (1:2.27.0~rc0-1ubuntu1) groovy; urgency=low
* Merge from Debian unstable. Remaining changes:
- Build diff-highlight in the contrib dir (closes: #868871, LP: #1713690)
- Don't build-depend on subversion on i386, it is not reasonable to
support on the partial arch.
* Drop security update patches, included upstream.
-- Steve Langasek <steve.langasek@ubuntu.com> Wed, 20 May 2020 16:48:49 -0700
git (1:2.27.0~rc0-1) unstable; urgency=low
* new upstream release candidate (see RelNotes/2.27.0.txt).
-- Jonathan Nieder <jrnieder@gmail.com> Mon, 18 May 2020 16:57:41 -0700
git (1:2.26.2-1) unstable; urgency=high
* new upstream point release (see RelNotes/2.26.2.txt).
* Addresses the security issue CVE-2020-11008.
With a crafted URL that contains a newline or empty host, or
lacks a scheme, the credential helper machinery can be fooled
into providing credential information that is not appropriate
for the protocol in use and host being contacted.
Unlike the vulnerability fixed in 2.26.1, the credentials are
not for a host of the attacker's choosing. Instead, they are
for an unspecified host, based on how the configured
credential helper handles an absent "host" parameter.
The attack has been made impossible by refusing to work with
underspecified credential patterns.
Thanks to Carlo Arenas for reporting that Git was still
vulnerable, Felix Wilhelm for providing the proof of concept
demonstrating this issue, and Jeff King for promptly providing
a corrected fix.
Tested using the proof of concept at
https://crbug.com/project-zero/2021.
-- Jonathan Nieder <jrnieder@gmail.com> Mon, 20 Apr 2020 10:44:09 -0700
git (1:2.26.1-1) unstable; urgency=high
* new upstream point release (see RelNotes/2.26.1.txt).
* Addresses the security issue CVE-2020-5260.
With a crafted URL that contains a newline, the credential
helper machinery can be fooled to supply credential information
for the wrong host. The attack has been made impossible by
forbidding a newline character in any value passed via the
credential protocol.
Thanks to Felix Wilhelm of Google Project Zero for finding
this vulnerability and Jeff King for fixing it.
-- Jonathan Nieder <jrnieder@gmail.com> Tue, 14 Apr 2020 10:29:38 -0700
git (1:2.26.0-2) unstable; urgency=low
* fixes to the (newly default) rebase --merge backend:
* honor GIT_REFLOG_ACTION (thx Ian Jackson and Elijah Newren;
closes: #955152).
* avoid "nothing to do" error when fast-forwarding a branch with
rebase.abbreviateCommands=true (thx Jan Alexander Steffens and
Alban Gruin).
* debian/control: downgrade Recommends by git-all on git-daemon-run
to Suggests. The git-all package is a "batteries included" full
installation of Git. Automatically running a daemon is not useful
to most of its users.
-- Jonathan Nieder <jrnieder@gmail.com> Tue, 14 Apr 2020 10:09:37 -0700
git (1:2.26.0-1) unstable; urgency=low
* new upstream release (see RelNotes/2.26.0.txt).
-- Jonathan Nieder <jrnieder@gmail.com> Mon, 23 Mar 2020 13:19:36 -0700
git (1:2.26.0~rc2-1) unstable; urgency=low
* new upstream release candidate (see RelNotes/2.26.0.txt).
-- Jonathan Nieder <jrnieder@gmail.com> Mon, 16 Mar 2020 21:17:23 -0700
git (1:2.25.1-1ubuntu3) focal; urgency=medium
* SECURITY UPDATE: credential helper issue with missing host or scheme
- debian/patches/CVE-2020-11008-1.patch: make "quit" helper more
realistic in t/t0300-credentials.sh.
- debian/patches/CVE-2020-11008-2.patch: use more realistic inputs in
t/t0300-credentials.sh.
- debian/patches/CVE-2020-11008-3.patch: parse URL without host as
empty host, not unset in credential.c, http.c,
t/t0300-credentials.sh.
- debian/patches/CVE-2020-11008-4.patch: refuse to operate when missing
host or protocol in credential.c, t/t0300-credentials.sh.
- debian/patches/CVE-2020-11008-5.patch: convert gitmodules url to URL
passed to curl in fsck.c, t/t7416-submodule-dash-url.sh.
- debian/patches/CVE-2020-11008-6.patch: die() when parsing invalid
urls in credential.c, t/t0300-credentials.sh.
- debian/patches/CVE-2020-11008-7.patch: treat URL without scheme as
invalid in credential.c, fsck.c, t/t5550-http-fetch-dumb.sh,
t/t7416-submodule-dash-url.sh.
- debian/patches/CVE-2020-11008-8.patch: treat URL with empty scheme as
invalid in credential.c, t/t5550-http-fetch-dumb.sh,
t/t7416-submodule-dash-url.sh.
- debian/patches/CVE-2020-11008-9.patch: reject URL with empty host in
.gitmodules in fsck.c, t/t7416-submodule-dash-url.sh.
- CVE-2020-11008
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 20 Apr 2020 11:50:03 -0400
git (1:2.25.1-1ubuntu2) focal; urgency=medium
* SECURITY UPDATE: credential helper issue with newlines in URL
- debian/patches/CVE-2020-5260-1.patch: avoid writing values with
newlines in credential.c, t/t0300-credentials.sh.
- debian/patches/CVE-2020-5260-2.patch: use test_i18ncmp to check
stderr in t/lib-credential.sh.
- debian/patches/CVE-2020-5260-3.patch: detect unrepresentable values
when parsing urls in credential.c, credential.h,
t/t0300-credentials.sh.
- debian/patches/CVE-2020-5260-4.patch: detect gitmodules URLs with
embedded newlines in fsck.c, t/t7416-submodule-dash-url.sh.
- CVE-2020-5260
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 14 Apr 2020 08:31:47 -0400
git (1:2.25.1-1ubuntu1) focal; urgency=low
* Merge from Debian unstable. Remaining changes:
- Build diff-highlight in the contrib dir (closes: #868871, LP: #1713690)
- Don't build-depend on subversion on i386, it is not reasonable to
support on the partial arch.
-- Steve Langasek <steve.langasek@ubuntu.com> Thu, 20 Feb 2020 14:55:13 -0800
git (1:2.25.1-1) unstable; urgency=low
* new upstream point release (see RelNotes/2.25.1.txt).
* update debian/copyright.
* debian/control: remove Gerrit Pape from the Maintainer field,
as requested. Thanks to Gerrit for putting together this
package in a way that has been pleasant to maintain.
* debian/rules: use "dpkg-architecture" instead of "uname -m" to
retrieve host arch. This makes the resulting "git version
--build-options" more predictable when building for i386 on an
amd64 machine (thx to Ceridwen for detecting this in reprotest).
-- Jonathan Nieder <jrnieder@gmail.com> Tue, 18 Feb 2020 17:26:36 -0800
git (1:2.25.0-1ubuntu1) focal; urgency=medium
* Resynchronise with Debian. Remaining changes:
- Build diff-highlight in the contrib dir (closes: #868871, LP: #1713690)
- Don't build-depend on subversion on i386, it is not reasonable to
support on the partial arch.
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 30 Jan 2020 13:20:28 -0500
git (1:2.25.0-1) unstable; urgency=low
* new upstream release (see RelNotes/2.25.0.txt).
* build against Python 3 (thx Steve Langasek, closes: #948832).
-- Jonathan Nieder <jrnieder@gmail.com> Tue, 14 Jan 2020 02:58:47 +0000
git (1:2.25.0~rc2-1) unstable; urgency=low
* new upstream release candidate.
-- Jonathan Nieder <jrnieder@gmail.com> Wed, 08 Jan 2020 16:08:27 -0800
git (1:2.25.0~rc1-1) unstable; urgency=low
* new upstream release candidate.
-- Jonathan Nieder <jrnieder@gmail.com> Fri, 03 Jan 2020 15:12:18 -0800
git (1:2.25.0~rc0-1) unstable; urgency=low
* new upstream release candidate (see RelNotes/2.25.0.txt).
-- Jonathan Nieder <jrnieder@gmail.com> Fri, 27 Dec 2019 15:08:51 -0800
git (1:2.24.1-1) unstable; urgency=low
* update to use upstream tarball for 2.24.1.
-- Jonathan Nieder <jrnieder@gmail.com> Tue, 10 Dec 2019 13:21:59 -0800
git (1:2.24.0-2) unstable; urgency=high
* new upstream point release (see RelNotes/2.24.1.txt).
* Addresses the security issues CVE-2019-1348, CVE-2019-1349,
CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, CVE-2019-1353,
CVE-2019-1354, and CVE-2019-1387.
Credit for finding these vulnerabilities goes to Microsoft
Security Response Center, in particular to Nicolas Joly. Fixes
were provided by Jeff King and Johannes Schindelin with help
from Garima Singh.
* Addresses CVE-2019-19604, arbitrary code execution via the
"update" field in .gitmodules.
Credit for finding this vulnerability goes to Joern
Schneeweisz from GitLab.
-- Jonathan Nieder <jrnieder@gmail.com> Mon, 09 Dec 2019 06:20:25 +0000
git (1:2.24.0-1ubuntu2) focal; urgency=medium
* Don't build-depend on subversion on i386, it is not reasonable to
support on the partial arch.
* Set PYTHON_PATH=/usr/bin/python2 and build-depend on python2 not python.
-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 13 Jan 2020 07:04:49 -0800
git (1:2.24.0-1ubuntu1) focal; urgency=medium
* Resynchronise with Debian. Remaining changes:
- Build diff-highlight in the contrib dir (closes: #868871, LP: #1713690)
-- Colin Watson <cjwatson@ubuntu.com> Wed, 13 Nov 2019 11:51:13 +0000
git (1:2.24.1-1) unstable; urgency=low
* update to use upstream tarball for 2.24.1.
-- Jonathan Nieder <jrnieder@gmail.com> Tue, 10 Dec 2019 13:21:59 -0800
git (1:2.24.0-2) unstable; urgency=high
* new upstream point release (see RelNotes/2.24.1.txt).
* Addresses the security issues CVE-2019-1348, CVE-2019-1349,
CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, CVE-2019-1353,
CVE-2019-1354, and CVE-2019-1387.
Credit for finding these vulnerabilities goes to Microsoft
Security Response Center, in particular to Nicolas Joly. Fixes
were provided by Jeff King and Johannes Schindelin with help
from Garima Singh.
* Addresses CVE-2019-19604, arbitrary code execution via the
"update" field in .gitmodules.
Credit for finding this vulnerability goes to Joern
Schneeweisz from GitLab.
-- Jonathan Nieder <jrnieder@gmail.com> Mon, 09 Dec 2019 06:20:25 +0000
git (1:2.24.0-1) unstable; urgency=medium
* new upstream release (see RelNotes/2.24.0.txt).
-- Jonathan Nieder <jrnieder@gmail.com> Sun, 03 Nov 2019 22:16:20 -0800
git (1:2.24.0~rc2-1) unstable; urgency=low
* new upstream release candidate.
-- Jonathan Nieder <jrnieder@gmail.com> Wed, 30 Oct 2019 12:52:19 -0700
git (1:2.24.0~rc1-1) unstable; urgency=medium
* new upstream release candidate.
* test-tool: read --total as an int, not uint64 (thx John Paul Adrian
Glaubitz; closes: #942674)
-- Jonathan Nieder <jrnieder@gmail.com> Thu, 24 Oct 2019 15:44:01 -0700
git (1:2.24.0~rc0-1) unstable; urgency=medium
* new upstream release candidate (see RelNotes/2.24.0.txt).
-- Jonathan Nieder <jrnieder@gmail.com> Fri, 18 Oct 2019 15:15:37 -0700
git (1:2.23.0-1) unstable; urgency=medium
* new upstream release (see RelNotes/2.23.0.txt).
-- Jonathan Nieder <jrnieder@gmail.com> Sun, 18 Aug 2019 16:58:15 -0700
git (1:2.23.0~rc1-1) unstable; urgency=low
* new upstream release candidate.
* tests: sort output of hashmap iteration (closes: #933519)
-- Jonathan Nieder <jrnieder@gmail.com> Fri, 02 Aug 2019 17:21:22 -0700
git (1:2.23.0~rc0-1) unstable; urgency=low
* new upstream release candidate (see RelNotes/2.23.0.txt).
-- Jonathan Nieder <jrnieder@gmail.com> Mon, 29 Jul 2019 17:07:53 -0700
git (1:2.22.0-1) unstable; urgency=low
* new upstream release (see RelNotes/2.21.0.txt, RelNotes/2.22.0.txt).
-- Jonathan Nieder <jrnieder@gmail.com> Mon, 08 Jul 2019 10:50:51 -0700
# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog git`.
Generated by dwww version 1.16 on Mon Dec 15 20:51:43 CET 2025.