diff options
| author | Christian Couder <christian.couder@gmail.com> | 2023-04-28 12:55:38 +0300 |
|---|---|---|
| committer | Christian Couder <christian.couder@gmail.com> | 2023-04-28 12:55:44 +0300 |
| commit | 6c1194216dccc129a50a64220928a2b321004f96 (patch) | |
| tree | 7b5b8c6e3d334920775764a5fb84738cf45dbf46 | |
| parent | 72a64aac764299b68c572c75ace3ffff7164a23e (diff) | |
Makefile: Upgrade Git to security release v2.40.1.gl1 and v2.39.3
Upgrade our Git version to v2.40.1.gl1 and v2.39.3, which pulls in the
security releases Git v2.40.1 and v2.39.3 that addresses the following
CVEs:
- CVE-2023-25652:
By feeding specially crafted input to git apply --reject, a
path outside the working tree can be overwritten with partially
controlled contents (corresponding to the rejected hunk(s) from
the given patch).
- CVE-2023-25815:
When Git is compiled with runtime prefix support and runs without
translated messages, it still used the gettext machinery to
display messages, which subsequently potentially looked for
translated messages in unexpected places. This allowed for
malicious placement of crafted messages.
- CVE-2023-29007:
When renaming or deleting a section from a configuration file,
certain malicious configuration values may be misinterpreted as
the beginning of a new configuration section, leading to arbitrary
configuration injection.
Even though GitLab isn't affected by the above CVEs, it is nice to
stay up-to-date with upstream.
| -rw-r--r-- | Makefile | 4 |
1 files changed, 2 insertions, 2 deletions
@@ -132,9 +132,9 @@ GIT_EXECUTABLES += git-http-backend ## tags, branches, and commit ids. GIT_VERSION ?= ## The Git version used for bundled Git v2.39. -GIT_VERSION_2_39 ?= v2.39.2 +GIT_VERSION_2_39 ?= v2.39.3 ## The Git version used for bundled Git v2.40. -GIT_VERSION_2_40 ?= v2.40.0.gl1 +GIT_VERSION_2_40 ?= v2.40.1.gl1 ## Skip overriding the Git version and instead use the Git version as specified ## in the Git sources. This is required when building Git from a version that |