diff options
| author | Taylor Blau <me@ttaylorr.com> | 2023-04-14 18:54:08 +0300 |
|---|---|---|
| committer | Johannes Schindelin <johannes.schindelin@gmx.de> | 2023-04-17 22:15:43 +0300 |
| commit | 668f2d53613ac8fd373926ebe219f2c29112d93e (patch) | |
| tree | dcd6f94cd74712f6b38de3a85afb79839f9509f7 | |
| parent | 528290f8c61222433a8cf02fb7cfffa8438432b4 (diff) | |
Git 2.30.9v2.30.9
Signed-off-by: Taylor Blau <me@ttaylorr.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
| -rw-r--r-- | Documentation/RelNotes/2.30.9.txt | 43 | ||||
| -rwxr-xr-x | GIT-VERSION-GEN | 2 | ||||
| l--------- | RelNotes | 2 |
3 files changed, 45 insertions, 2 deletions
diff --git a/Documentation/RelNotes/2.30.9.txt b/Documentation/RelNotes/2.30.9.txt new file mode 100644 index 0000000000..708d626ce6 --- /dev/null +++ b/Documentation/RelNotes/2.30.9.txt @@ -0,0 +1,43 @@ +Git v2.30.9 Release Notes +========================= + +This release addresses the security issues CVE-2023-25652, +CVE-2023-25815, and CVE-2023-29007. + + +Fixes since v2.30.8 +------------------- + + * CVE-2023-25652: + + By feeding specially crafted input to `git apply --reject`, a + path outside the working tree can be overwritten with partially + controlled contents (corresponding to the rejected hunk(s) from + the given patch). + + * CVE-2023-25815: + + When Git is compiled with runtime prefix support and runs without + translated messages, it still used the gettext machinery to + display messages, which subsequently potentially looked for + translated messages in unexpected places. This allowed for + malicious placement of crafted messages. + + * CVE-2023-29007: + + When renaming or deleting a section from a configuration file, + certain malicious configuration values may be misinterpreted as + the beginning of a new configuration section, leading to arbitrary + configuration injection. + +Credit for finding CVE-2023-25652 goes to Ry0taK, and the fix was +developed by Taylor Blau, Junio C Hamano and Johannes Schindelin, +with the help of Linus Torvalds. + +Credit for finding CVE-2023-25815 goes to Maxime Escourbiac and +Yassine BENGANA of Michelin, and the fix was developed by Johannes +Schindelin. + +Credit for finding CVE-2023-29007 goes to André Baptista and Vítor Pinho +of Ethiack, and the fix was developed by Taylor Blau, and Johannes +Schindelin, with help from Jeff King, and Patrick Steinhardt. diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN index 2a52946afc..6681d3083c 100755 --- a/GIT-VERSION-GEN +++ b/GIT-VERSION-GEN @@ -1,7 +1,7 @@ #!/bin/sh GVF=GIT-VERSION-FILE -DEF_VER=v2.30.8 +DEF_VER=v2.30.9 LF=' ' @@ -1 +1 @@ -Documentation/RelNotes/2.30.8.txt
\ No newline at end of file +Documentation/RelNotes/2.30.9.txt
\ No newline at end of file |