From 66d2a6159f511924e7e0b8a21c93538879bfd622 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Wed, 4 Dec 2019 19:58:46 +0100 Subject: Git 2.14.6 Signed-off-by: Johannes Schindelin --- Documentation/RelNotes/2.14.6.txt | 54 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 Documentation/RelNotes/2.14.6.txt (limited to 'Documentation/RelNotes') diff --git a/Documentation/RelNotes/2.14.6.txt b/Documentation/RelNotes/2.14.6.txt new file mode 100644 index 0000000000..72b7af6799 --- /dev/null +++ b/Documentation/RelNotes/2.14.6.txt @@ -0,0 +1,54 @@ +Git v2.14.6 Release Notes +========================= + +This release addresses the security issues CVE-2019-1348, +CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, +CVE-2019-1353, CVE-2019-1354, and CVE-2019-1387. + +Fixes since v2.14.5 +------------------- + + * CVE-2019-1348: + The --export-marks option of git fast-import is exposed also via + the in-stream command feature export-marks=... and it allows + overwriting arbitrary paths. + + * CVE-2019-1349: + When submodules are cloned recursively, under certain circumstances + Git could be fooled into using the same Git directory twice. We now + require the directory to be empty. + + * CVE-2019-1350: + Incorrect quoting of command-line arguments allowed remote code + execution during a recursive clone in conjunction with SSH URLs. + + * CVE-2019-1351: + While the only permitted drive letters for physical drives on + Windows are letters of the US-English alphabet, this restriction + does not apply to virtual drives assigned via subst : + . Git mistook such paths for relative paths, allowing writing + outside of the worktree while cloning. + + * CVE-2019-1352: + Git was unaware of NTFS Alternate Data Streams, allowing files + inside the .git/ directory to be overwritten during a clone. + + * CVE-2019-1353: + When running Git in the Windows Subsystem for Linux (also known as + "WSL") while accessing a working directory on a regular Windows + drive, none of the NTFS protections were active. + + * CVE-2019-1354: + Filenames on Linux/Unix can contain backslashes. On Windows, + backslashes are directory separators. Git did not use to refuse to + write out tracked files with such filenames. + + * CVE-2019-1387: + Recursive clones are currently affected by a vulnerability that is + caused by too-lax validation of submodule names, allowing very + targeted attacks via remote code execution in recursive clones. + +Credit for finding these vulnerabilities goes to Microsoft Security +Response Center, in particular to Nicolas Joly. The `fast-import` +fixes were provided by Jeff King, the other fixes by Johannes +Schindelin with help from Garima Singh. -- cgit v1.2.3 From 7cdafcaacf677b9e0700fa988c247bda192db48d Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Wed, 4 Dec 2019 21:33:29 +0100 Subject: Git 2.15.4 Signed-off-by: Johannes Schindelin --- Documentation/RelNotes/2.15.4.txt | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 Documentation/RelNotes/2.15.4.txt (limited to 'Documentation/RelNotes') diff --git a/Documentation/RelNotes/2.15.4.txt b/Documentation/RelNotes/2.15.4.txt new file mode 100644 index 0000000000..dc241cba34 --- /dev/null +++ b/Documentation/RelNotes/2.15.4.txt @@ -0,0 +1,11 @@ +Git v2.15.4 Release Notes +========================= + +This release merges up the fixes that appear in v2.14.6 to address +the security issues CVE-2019-1348, CVE-2019-1349, CVE-2019-1350, +CVE-2019-1351, CVE-2019-1352, CVE-2019-1353, CVE-2019-1354, and +CVE-2019-1387; see the release notes for that version for details. + +In conjunction with a vulnerability that was fixed in v2.20.2, +`.gitmodules` is no longer allowed to contain entries of the form +`submodule..update=!command`. -- cgit v1.2.3 From eb288bc455ac67e3ceeff90daf6f25972bb586d0 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Wed, 4 Dec 2019 21:45:07 +0100 Subject: Git 2.16.6 Signed-off-by: Johannes Schindelin --- Documentation/RelNotes/2.16.6.txt | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 Documentation/RelNotes/2.16.6.txt (limited to 'Documentation/RelNotes') diff --git a/Documentation/RelNotes/2.16.6.txt b/Documentation/RelNotes/2.16.6.txt new file mode 100644 index 0000000000..438306e60b --- /dev/null +++ b/Documentation/RelNotes/2.16.6.txt @@ -0,0 +1,8 @@ +Git v2.16.6 Release Notes +========================= + +This release merges up the fixes that appear in v2.14.6 and in +v2.15.4 addressing the security issues CVE-2019-1348, CVE-2019-1349, +CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, CVE-2019-1353, +CVE-2019-1354, and CVE-2019-1387; see the release notes for those +versions for details. -- cgit v1.2.3 From a5ab8d03173458b76b8452efd90a7173f490c132 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Wed, 4 Dec 2019 22:13:04 +0100 Subject: Git 2.17.3 Signed-off-by: Johannes Schindelin --- Documentation/RelNotes/2.17.3.txt | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 Documentation/RelNotes/2.17.3.txt (limited to 'Documentation/RelNotes') diff --git a/Documentation/RelNotes/2.17.3.txt b/Documentation/RelNotes/2.17.3.txt new file mode 100644 index 0000000000..5a46c94271 --- /dev/null +++ b/Documentation/RelNotes/2.17.3.txt @@ -0,0 +1,12 @@ +Git v2.17.3 Release Notes +========================= + +This release merges up the fixes that appear in v2.14.6 and in +v2.15.4 addressing the security issues CVE-2019-1348, CVE-2019-1349, +CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, CVE-2019-1353, +CVE-2019-1354, and CVE-2019-1387; see the release notes for those +versions for details. + +In addition, `git fsck` was taught to identify `.gitmodules` entries +of the form `submodule..update=!command`, which have been +disallowed in v2.15.4. -- cgit v1.2.3 From 9877106b01cbd346b862cc8cd2c52e496dd40ed5 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Wed, 4 Dec 2019 22:22:52 +0100 Subject: Git 2.18.2 Signed-off-by: Johannes Schindelin --- Documentation/RelNotes/2.18.2.txt | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 Documentation/RelNotes/2.18.2.txt (limited to 'Documentation/RelNotes') diff --git a/Documentation/RelNotes/2.18.2.txt b/Documentation/RelNotes/2.18.2.txt new file mode 100644 index 0000000000..98b168aade --- /dev/null +++ b/Documentation/RelNotes/2.18.2.txt @@ -0,0 +1,8 @@ +Git v2.18.2 Release Notes +========================= + +This release merges up the fixes that appear in v2.14.6, v2.15.4 +and in v2.17.3, addressing the security issues CVE-2019-1348, +CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, +CVE-2019-1353, CVE-2019-1354, and CVE-2019-1387; see the release notes +for those versions for details. -- cgit v1.2.3 From caccc527ca7f4b3e6f4bb6775cbff94b27741482 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Wed, 4 Dec 2019 22:29:33 +0100 Subject: Git 2.19.3 Signed-off-by: Johannes Schindelin --- Documentation/RelNotes/2.19.3.txt | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 Documentation/RelNotes/2.19.3.txt (limited to 'Documentation/RelNotes') diff --git a/Documentation/RelNotes/2.19.3.txt b/Documentation/RelNotes/2.19.3.txt new file mode 100644 index 0000000000..92d7f89de6 --- /dev/null +++ b/Documentation/RelNotes/2.19.3.txt @@ -0,0 +1,8 @@ +Git v2.19.3 Release Notes +========================= + +This release merges up the fixes that appear in v2.14.6, v2.15.4 +and in v2.17.3, addressing the security issues CVE-2019-1348, +CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, +CVE-2019-1353, CVE-2019-1354, and CVE-2019-1387; see the release notes +for those versions for details. -- cgit v1.2.3 From 4cd1cf31efed9b16db5035c377bfa222f5272458 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Wed, 4 Dec 2019 22:33:15 +0100 Subject: Git 2.20.2 Signed-off-by: Johannes Schindelin --- Documentation/RelNotes/2.20.2.txt | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 Documentation/RelNotes/2.20.2.txt (limited to 'Documentation/RelNotes') diff --git a/Documentation/RelNotes/2.20.2.txt b/Documentation/RelNotes/2.20.2.txt new file mode 100644 index 0000000000..8e680cb9fb --- /dev/null +++ b/Documentation/RelNotes/2.20.2.txt @@ -0,0 +1,18 @@ +Git v2.20.2 Release Notes +========================= + +This release merges up the fixes that appear in v2.14.6, v2.15.4 +and in v2.17.3, addressing the security issues CVE-2019-1348, +CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, +CVE-2019-1353, CVE-2019-1354, and CVE-2019-1387; see the release notes +for those versions for details. + +The change to disallow `submodule..update=!command` entries in +`.gitmodules` which was introduced v2.15.4 (and for which v2.17.3 +added explicit fsck checks) fixes the vulnerability in v2.20.x where a +recursive clone followed by a submodule update could execute code +contained within the repository without the user explicitly having +asked for that (CVE-2019-19604). + +Credit for finding this vulnerability goes to Joern Schneeweisz, +credit for the fixes goes to Jonathan Nieder. -- cgit v1.2.3 From 367f12b7e92aef4e8a41fe601d90984a2b7a0381 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Wed, 4 Dec 2019 23:01:50 +0100 Subject: Git 2.21.1 Signed-off-by: Johannes Schindelin --- Documentation/RelNotes/2.21.1.txt | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 Documentation/RelNotes/2.21.1.txt (limited to 'Documentation/RelNotes') diff --git a/Documentation/RelNotes/2.21.1.txt b/Documentation/RelNotes/2.21.1.txt new file mode 100644 index 0000000000..b7594151e4 --- /dev/null +++ b/Documentation/RelNotes/2.21.1.txt @@ -0,0 +1,12 @@ +Git v2.21.1 Release Notes +========================= + +This release merges up the fixes that appear in v2.14.6, v2.15.4, +v2.17.3 and in v2.20.2, addressing the security issues CVE-2019-1348, +CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, +CVE-2019-1353, CVE-2019-1354, CVE-2019-1387, and CVE-2019-19604; +see the release notes for those versions for details. + +Additionally, this version also includes a couple of fixes for the +Windows-specific quoting of command-line arguments when Git executes +a Unix shell on Windows. -- cgit v1.2.3