debian/patches/0039-Git-2.20.2.diff - jrn/git - Git at Google

 From afdc7c3c9874522c09de39680a6550b086f60a78 Mon Sep 17 00:00:00 2001
 From: Johannes Schindelin <johannes.schindelin@gmx.de>
 Date: Wed, 4 Dec 2019 22:33:15 +0100
 Subject: Git 2.20.2

 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 (cherry picked from commit 4cd1cf31efed9b16db5035c377bfa222f5272458)
 Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
 ---
  Documentation/RelNotes/2.20.2.txt | 18 ++++++++++++++++++
  GIT-VERSION-GEN                   |  2 +-
  2 files changed, 19 insertions(+), 1 deletion(-)
  create mode 100644 Documentation/RelNotes/2.20.2.txt

 diff --git a/Documentation/RelNotes/2.20.2.txt b/Documentation/RelNotes/2.20.2.txt
 new file mode 100644
 index 0000000000..8e680cb9fb
 --- /dev/null
 +++ b/Documentation/RelNotes/2.20.2.txt
 @@ -0,0 +1,18 @@
 +Git v2.20.2 Release Notes
 +=========================
 +
 +This release merges up the fixes that appear in v2.14.6, v2.15.4
 +and in v2.17.3, addressing the security issues CVE-2019-1348,
 +CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352,
 +CVE-2019-1353, CVE-2019-1354, and CVE-2019-1387; see the release notes
 +for those versions for details.
 +
 +The change to disallow `submodule.<name>.update=!command` entries in
 +`.gitmodules` which was introduced v2.15.4 (and for which v2.17.3
 +added explicit fsck checks) fixes the vulnerability in v2.20.x where a
 +recursive clone followed by a submodule update could execute code
 +contained within the repository without the user explicitly having
 +asked for that (CVE-2019-19604).
 +
 +Credit for finding this vulnerability goes to Joern Schneeweisz,
 +credit for the fixes goes to Jonathan Nieder.
 diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN
 index d1a2814ec7..492f3480f0 100755
 --- a/GIT-VERSION-GEN
 +++ b/GIT-VERSION-GEN
 @@ -1,7 +1,7 @@
  #!/bin/sh

  GVF=GIT-VERSION-FILE
 -DEF_VER=v2.20.1
 +DEF_VER=v2.20.2

  LF='
  '
 --
 2.26.0.292.g33ef6b2f38
	From afdc7c3c9874522c09de39680a6550b086f60a78 Mon Sep 17 00:00:00 2001
	From: Johannes Schindelin <johannes.schindelin@gmx.de>
	Date: Wed, 4 Dec 2019 22:33:15 +0100
	Subject: Git 2.20.2

	Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
	(cherry picked from commit 4cd1cf31efed9b16db5035c377bfa222f5272458)
	Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
	---
	Documentation/RelNotes/2.20.2.txt \| 18 ++++++++++++++++++
	GIT-VERSION-GEN \| 2 +-
	2 files changed, 19 insertions(+), 1 deletion(-)
	create mode 100644 Documentation/RelNotes/2.20.2.txt

	diff --git a/Documentation/RelNotes/2.20.2.txt b/Documentation/RelNotes/2.20.2.txt
	new file mode 100644
	index 0000000000..8e680cb9fb
	--- /dev/null
	+++ b/Documentation/RelNotes/2.20.2.txt
	@@ -0,0 +1,18 @@
	+Git v2.20.2 Release Notes
	+=========================
	+
	+This release merges up the fixes that appear in v2.14.6, v2.15.4
	+and in v2.17.3, addressing the security issues CVE-2019-1348,
	+CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352,
	+CVE-2019-1353, CVE-2019-1354, and CVE-2019-1387; see the release notes
	+for those versions for details.
	+
	+The change to disallow `submodule.<name>.update=!command` entries in
	+`.gitmodules` which was introduced v2.15.4 (and for which v2.17.3
	+added explicit fsck checks) fixes the vulnerability in v2.20.x where a
	+recursive clone followed by a submodule update could execute code
	+contained within the repository without the user explicitly having
	+asked for that (CVE-2019-19604).
	+
	+Credit for finding this vulnerability goes to Joern Schneeweisz,
	+credit for the fixes goes to Jonathan Nieder.
	diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN
	index d1a2814ec7..492f3480f0 100755
	--- a/GIT-VERSION-GEN
	+++ b/GIT-VERSION-GEN
	@@ -1,7 +1,7 @@
	#!/bin/sh

	GVF=GIT-VERSION-FILE
	-DEF_VER=v2.20.1
	+DEF_VER=v2.20.2

	LF='
	'
	--
	2.26.0.292.g33ef6b2f38