From 6c1194216dccc129a50a64220928a2b321004f96 Mon Sep 17 00:00:00 2001 From: Christian Couder Date: Fri, 28 Apr 2023 11:55:38 +0200 Subject: Makefile: Upgrade Git to security release v2.40.1.gl1 and v2.39.3 Upgrade our Git version to v2.40.1.gl1 and v2.39.3, which pulls in the security releases Git v2.40.1 and v2.39.3 that addresses the following CVEs: - CVE-2023-25652: By feeding specially crafted input to git apply --reject, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). - CVE-2023-25815: When Git is compiled with runtime prefix support and runs without translated messages, it still used the gettext machinery to display messages, which subsequently potentially looked for translated messages in unexpected places. This allowed for malicious placement of crafted messages. - CVE-2023-29007: When renaming or deleting a section from a configuration file, certain malicious configuration values may be misinterpreted as the beginning of a new configuration section, leading to arbitrary configuration injection. Even though GitLab isn't affected by the above CVEs, it is nice to stay up-to-date with upstream. --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'Makefile') diff --git a/Makefile b/Makefile index 1f4ccac8c..b17842acb 100644 --- a/Makefile +++ b/Makefile @@ -132,9 +132,9 @@ GIT_EXECUTABLES += git-http-backend ## tags, branches, and commit ids. GIT_VERSION ?= ## The Git version used for bundled Git v2.39. -GIT_VERSION_2_39 ?= v2.39.2 +GIT_VERSION_2_39 ?= v2.39.3 ## The Git version used for bundled Git v2.40. -GIT_VERSION_2_40 ?= v2.40.0.gl1 +GIT_VERSION_2_40 ?= v2.40.1.gl1 ## Skip overriding the Git version and instead use the Git version as specified ## in the Git sources. This is required when building Git from a version that -- cgit v1.2.3