Documentation/RelNotes/2.39.4.adoc at reftables-rust

freshlybakedca.ke / git
fork atom
Git fork
fork atom
git / Documentation / RelNotes / 2.39.4.adoc
at reftables-rust 79 lines 2.6 kB view raw
wrap content
brian m. carlson doc: use .adoc extension for AsciiDoc files 1y ago
1f010d6b
 1Git v2.39.4 Release Notes
 2=========================
 3
 4This addresses the security issues CVE-2024-32002, CVE-2024-32004,
 5CVE-2024-32020 and CVE-2024-32021.
 6
 7This release also backports fixes necessary to let the CI builds pass
 8successfully.
 9
10Fixes since v2.39.3
11-------------------
12
13 * CVE-2024-32002:
14
15   Recursive clones on case-insensitive filesystems that support symbolic
16   links are susceptible to case confusion that can be exploited to
17   execute just-cloned code during the clone operation.
18
19 * CVE-2024-32004:
20
21   Repositories can be configured to execute arbitrary code during local
22   clones. To address this, the ownership checks introduced in v2.30.3
23   are now extended to cover cloning local repositories.
24
25 * CVE-2024-32020:
26
27   Local clones may end up hardlinking files into the target repository's
28   object database when source and target repository reside on the same
29   disk. If the source repository is owned by a different user, then
30   those hardlinked files may be rewritten at any point in time by the
31   untrusted user.
32
33 * CVE-2024-32021:
34
35   When cloning a local source repository that contains symlinks via the
36   filesystem, Git may create hardlinks to arbitrary user-readable files
37   on the same filesystem as the target repository in the objects/
38   directory.
39
40 * CVE-2024-32465:
41
42   It is supposed to be safe to clone untrusted repositories, even those
43   unpacked from zip archives or tarballs originating from untrusted
44   sources, but Git can be tricked to run arbitrary code as part of the
45   clone.
46
47 * Defense-in-depth: submodule: require the submodule path to contain
48   directories only.
49
50 * Defense-in-depth: clone: when symbolic links collide with directories, keep
51   the latter.
52
53 * Defense-in-depth: clone: prevent hooks from running during a clone.
54
55 * Defense-in-depth: core.hooksPath: add some protection while cloning.
56
57 * Defense-in-depth: fsck: warn about symlink pointing inside a gitdir.
58
59 * Various fix-ups on HTTP tests.
60
61 * Test update.
62
63 * HTTP Header redaction code has been adjusted for a newer version of
64   cURL library that shows its traces differently from earlier
65   versions.
66
67 * Fix was added to work around a regression in libcURL 8.7.0 (which has
68   already been fixed in their tip of the tree).
69
70 * Replace macos-12 used at GitHub CI with macos-13.
71
72 * ci(linux-asan/linux-ubsan): let's save some time
73
74 * Tests with LSan from time to time seem to emit harmless message that makes
75   our tests unnecessarily flakey; we work it around by filtering the
76   uninteresting output.
77
78 * Update GitHub Actions jobs to avoid warnings against using deprecated
79   version of Node.js.