mirrors/git
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
09e74b06ea68d4cac8f08b51bf4db2daf1987ae2
git/Documentation/RelNotes/2.39.4.adoc
brian m. carlson 1f010d6bdf doc: use .adoc extension for AsciiDoc files 
We presently use the ".txt" extension for our AsciiDoc files.  While not
wrong, most editors do not associate this extension with AsciiDoc,
meaning that contributors don't get automatic editor functionality that
could be useful, such as syntax highlighting and prose linting.

It is much more common to use the ".adoc" extension for AsciiDoc files,
since this helps editors automatically detect files and also allows
various forges to provide rich (HTML-like) rendering.  Let's do that
here, renaming all of the files and updating the includes where
relevant.  Adjust the various build scripts and makefiles to use the new
extension as well.

Note that this should not result in any user-visible changes to the
documentation.

Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2025-01-21 12:56:06 -08:00

80 lines
2.6 KiB
Plaintext
Raw Blame History

Git v2.39.4 Release Notes
=========================
This addresses the security issues CVE-2024-32002, CVE-2024-32004,
CVE-2024-32020 and CVE-2024-32021.
This release also backports fixes necessary to let the CI builds pass
successfully.
Fixes since v2.39.3
-------------------
* CVE-2024-32002:
Recursive clones on case-insensitive filesystems that support symbolic
links are susceptible to case confusion that can be exploited to
execute just-cloned code during the clone operation.
* CVE-2024-32004:
Repositories can be configured to execute arbitrary code during local
clones. To address this, the ownership checks introduced in v2.30.3
are now extended to cover cloning local repositories.
* CVE-2024-32020:
Local clones may end up hardlinking files into the target repository's
object database when source and target repository reside on the same
disk. If the source repository is owned by a different user, then
those hardlinked files may be rewritten at any point in time by the
untrusted user.
* CVE-2024-32021:
When cloning a local source repository that contains symlinks via the
filesystem, Git may create hardlinks to arbitrary user-readable files
on the same filesystem as the target repository in the objects/
directory.
* CVE-2024-32465:
It is supposed to be safe to clone untrusted repositories, even those
unpacked from zip archives or tarballs originating from untrusted
sources, but Git can be tricked to run arbitrary code as part of the
clone.
* Defense-in-depth: submodule: require the submodule path to contain
directories only.
* Defense-in-depth: clone: when symbolic links collide with directories, keep
the latter.
* Defense-in-depth: clone: prevent hooks from running during a clone.
* Defense-in-depth: core.hooksPath: add some protection while cloning.
* Defense-in-depth: fsck: warn about symlink pointing inside a gitdir.
* Various fix-ups on HTTP tests.
* Test update.
* HTTP Header redaction code has been adjusted for a newer version of
cURL library that shows its traces differently from earlier
versions.
* Fix was added to work around a regression in libcURL 8.7.0 (which has
already been fixed in their tip of the tree).
* Replace macos-12 used at GitHub CI with macos-13.
* ci(linux-asan/linux-ubsan): let's save some time
* Tests with LSan from time to time seem to emit harmless message that makes
our tests unnecessarily flakey; we work it around by filtering the
uninteresting output.
* Update GitHub Actions jobs to avoid warnings against using deprecated
version of Node.js.
Reference in New Issue View Git Blame Copy Permalink