1f010d6bdf
We presently use the ".txt" extension for our AsciiDoc files. While not wrong, most editors do not associate this extension with AsciiDoc, meaning that contributors don't get automatic editor functionality that could be useful, such as syntax highlighting and prose linting. It is much more common to use the ".adoc" extension for AsciiDoc files, since this helps editors automatically detect files and also allows various forges to provide rich (HTML-like) rendering. Let's do that here, renaming all of the files and updating the includes where relevant. Adjust the various build scripts and makefiles to use the new extension as well. Note that this should not result in any user-visible changes to the documentation. Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
52 lines
1.7 KiB
Plaintext
52 lines
1.7 KiB
Plaintext
Git v2.30.8 Release Notes
|
|
=========================
|
|
|
|
This release addresses the security issues CVE-2023-22490 and
|
|
CVE-2023-23946.
|
|
|
|
|
|
Fixes since v2.30.7
|
|
-------------------
|
|
|
|
* CVE-2023-22490:
|
|
|
|
Using a specially-crafted repository, Git can be tricked into using
|
|
its local clone optimization even when using a non-local transport.
|
|
Though Git will abort local clones whose source $GIT_DIR/objects
|
|
directory contains symbolic links (c.f., CVE-2022-39253), the objects
|
|
directory itself may still be a symbolic link.
|
|
|
|
These two may be combined to include arbitrary files based on known
|
|
paths on the victim's filesystem within the malicious repository's
|
|
working copy, allowing for data exfiltration in a similar manner as
|
|
CVE-2022-39253.
|
|
|
|
* CVE-2023-23946:
|
|
|
|
By feeding a crafted input to "git apply", a path outside the
|
|
working tree can be overwritten as the user who is running "git
|
|
apply".
|
|
|
|
* A mismatched type in `attr.c::read_attr_from_index()` which could
|
|
cause Git to errantly reject attributes on Windows and 32-bit Linux
|
|
has been corrected.
|
|
|
|
Credit for finding CVE-2023-22490 goes to yvvdwf, and the fix was
|
|
developed by Taylor Blau, with additional help from others on the
|
|
Git security mailing list.
|
|
|
|
Credit for finding CVE-2023-23946 goes to Joern Schneeweisz, and the
|
|
fix was developed by Patrick Steinhardt.
|
|
|
|
|
|
Johannes Schindelin (1):
|
|
attr: adjust a mismatched data type
|
|
|
|
Patrick Steinhardt (1):
|
|
apply: fix writing behind newly created symbolic links
|
|
|
|
Taylor Blau (3):
|
|
t5619: demonstrate clone_local() with ambiguous transport
|
|
clone: delay picking a transport until after get_repo_path()
|
|
dir-iterator: prevent top-level symlinks without FOLLOW_SYMLINKS
|