debian: new upstream point release
Apply the latest batch of security fixes from upstream.
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
diff --git a/debian/changelog b/debian/changelog
index d4dbf369..23027b5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+git (1:2.39.5-0+deb12u1) bookworm-security; urgency=medium
+
+ * new upstream point release (see RelNotes/2.39.3.txt,
+ RelNotes/2.39.4.txt, RelNotes/2.39.5.txt). Addresses
+ CVE-2023-25652, CVE-2023-25815, CVE-2023-29007, CVE-2024-32002,
+ CVE-2024-32004, CVE-2024-32020, CVE-2023-32021 (closes:
+ #1071160).
+
+ -- Jonathan Nieder <jrnieder@gmail.com> Sun, 16 Jun 2024 17:37:10 +0000
+
git (1:2.39.2-1.1) unstable; urgency=medium
* Non-maintainer upload (only changes to git-doc).
diff --git a/debian/changelog.upstream b/debian/changelog.upstream
index 55b97f3..69a4b86 100644
--- a/debian/changelog.upstream
+++ b/debian/changelog.upstream
@@ -1,3 +1,232 @@
+Version v2.39.5; changes since v2.39.4:
+---------------------------------------
+
+Jeff King (5):
+ send-email: drop FakeTerm hack
+ send-email: avoid creating more than one Term::ReadLine object
+ ci: drop mention of BREW_INSTALL_PACKAGES variable
+ ci: avoid bare "gcc" for osx-gcc job
+ ci: stop installing "gcc-13" for osx-gcc
+
+Johannes Schindelin (6):
+ hook: plug a new memory leak
+ init: use the correct path of the templates directory again
+ Revert "core.hooksPath: add some protection while cloning"
+ tests: verify that `clone -c core.hooksPath=/dev/null` works again
+ clone: drop the protections where hooks aren't run
+ Revert "Add a helper function to compare file contents"
+
+Junio C Hamano (2):
+ Revert "fsck: warn about symlink pointing inside a gitdir"
+ Git 2.39.5
+
+
+Version v2.39.4; changes since v2.39.3:
+---------------------------------------
+
+Filip Hejsek (4):
+ t0411: add tests for cloning from partial repo
+ has_dir_name(): do not get confused by characters < '/'
+ t7423: add tests for symlinked submodule directories
+ clone: prevent clashing git dirs when cloning submodule in parallel
+
+Jeff Hostetler (1):
+ fsmonitor: eliminate call to deprecated FSEventStream function
+
+Jeff King (29):
+ t/lib-httpd: bump required apache version to 2.2
+ t/lib-httpd: bump required apache version to 2.4
+ t/lib-httpd: drop SSLMutex config
+ t/lib-httpd: increase ssl key size to 2048 bits
+ t5541: run "used receive-pack service" test earlier
+ t5541: stop marking "used receive-pack service" test as v0 only
+ t5541: simplify and move "no empty path components" test
+ t5551: drop redundant grep for Accept-Language
+ t5551: lower-case headers in expected curl trace
+ t5551: handle HTTP/2 when checking curl trace
+ t5551: stop forcing clone to run with v0 protocol
+ t5551: handle v2 protocol when checking curl trace
+ t5551: handle v2 protocol in upload-pack service test
+ t5551: simplify expected cookie file
+ t5551: handle v2 protocol in cookie test
+ t5551: drop curl trace lines without headers
+ t/lib-httpd: respect $HTTPD_PROTO in expect_askpass()
+ t/lib-httpd: enable HTTP/2 "h2" protocol, not just h2c
+ t5559: fix test failures with LIB_HTTPD_SSL
+ t5559: make SSL/TLS the default
+ http: handle both "h2" and "h2h3" in curl info lines
+ http: factor out matching of curl http/2 trace lines
+ http: update curl http/2 info matching for curl 8.3.0
+ http: reset POSTFIELDSIZE when clearing curl handle
+ INSTALL: bump libcurl version to 7.21.3
+ remote-curl: add Transfer-Encoding header only for older curl
+ test-lib: ignore uninteresting LSan output
+ upload-pack: disable lazy-fetching by default
+ docs: document security issues around untrusted .git dirs
+
+Johannes Schindelin (19):
+ ci: upgrade to using macos-13
+ ci(linux-asan/linux-ubsan): let's save some time
+ ci: bump remaining outdated Actions versions
+ ci(linux32): add a note about Actions that must not be updated
+ fetch/clone: detect dubious ownership of local repositories
+ submodules: submodule paths must not contain symlinks
+ clone_submodule: avoid using `access()` on directories
+ submodule: require the submodule path to contain directories only
+ t5510: verify that D/F confusion cannot lead to an RCE
+ entry: report more colliding paths
+ clone: when symbolic links collide with directories, keep the latter
+ find_hook(): refactor the `STRIP_EXTENSION` logic
+ init: refactor the template directory discovery into its own function
+ Add a helper function to compare file contents
+ clone: prevent hooks from running during a clone
+ init.templateDir: consider this config setting protected
+ core.hooksPath: add some protection while cloning
+ fsck: warn about symlink pointing inside a gitdir
+ Git 2.39.4
+
+Junio C Hamano (2):
+ GitHub Actions: update to checkout@v4
+ GitHub Actions: update to github-script@v7
+
+Patrick Steinhardt (4):
+ builtin/clone: stop resolving symlinks when copying files
+ builtin/clone: abort when hardlinked source and target file differ
+ setup.c: introduce `die_upon_dubious_ownership()`
+ builtin/clone: refuse local clones of unsafe repositories
+
+
+Version v2.39.3; changes since v2.39.2:
+---------------------------------------
+
+Chris. Webster (3):
+ ci (check-whitespace): suggest fixes for errors
+ ci (check-whitespace): add links to job output
+ ci (check-whitespace): move to actions/checkout@v3
+
+Derrick Stolee (1):
+ ci: update 'static-analysis' to Ubuntu 22.04
+
+Eric Sunshine (1):
+ githooks: discuss Git operations in foreign repositories
+
+Jeff King (25):
+ git-compat-util: avoid redefining system function names
+ git-compat-util: undefine system names before redeclaring them
+ server_supports_v2(): use a separate function for die_on_error
+ ls-refs: use repository parameter to iterate refs
+ blob: drop unused parts of parse_blob_buffer()
+ list-objects: drop process_gitlink() function
+ ws: drop unused parameter from ws_blank_line()
+ xdiff: drop unused parameter in def_ff()
+ xdiff: mark unused parameter in xdl_call_hunk_func()
+ diff: mark unused parameters in callbacks
+ list-objects-filter: mark unused parameters in virtual functions
+ userdiff: mark unused parameter in internal callback
+ diff: use filespec path to set up tempfiles for ext-diff
+ diff: clean up external-diff argv setup
+ diff: drop "name" parameter from prepare_temp_file()
+ http-push: prefer CURLOPT_UPLOAD to CURLOPT_PUT
+ http: prefer CURLOPT_SEEKFUNCTION to CURLOPT_IOCTLFUNCTION
+ http: support CURLOPT_PROTOCOLS_STR
+ http-push: prefer CURLOPT_UPLOAD to CURLOPT_PUT
+ http: prefer CURLOPT_SEEKFUNCTION to CURLOPT_IOCTLFUNCTION
+ range-diff: drop useless "offset" variable from read_patches()
+ http: support CURLOPT_PROTOCOLS_STR
+ range-diff: handle unterminated lines in read_patches()
+ range-diff: use ssize_t for parsed "len" in read_patches()
+ Makefile: force -O0 when compiling with SANITIZE=leak
+
+Jiang Xin (4):
+ github-actions: run gcc-8 on ubuntu-20.04 image
+ ci: remove the pipe after "p4 -V" to catch errors
+ ci: use the same version of p4 on both Linux and macOS
+ ci: install python on ubuntu
+
+Johannes Schindelin (22):
+ ci: only run win+VS build & tests in Git for Windows' fork
+ compat/win32/syslog: fix use-after-realloc
+ nedmalloc: avoid new compile error
+ t0033: GETTEXT_POISON fix
+ t0003: GETTEXT_POISON fix, part 1
+ t0003: GETTEXT_POISON fix, conclusion
+ t5619: GETTEXT_POISON fix
+ t5604: GETTEXT_POISON fix, part 1
+ t5604: GETTEXT_POISON fix, conclusion
+ clone.c: avoid "exceeds maximum object size" error with GCC v12.x
+ apply --reject: overwrite existing `.rej` symlink if it exists
+ gettext: avoid using gettext if the locale dir is not present
+ tests: avoid using `test_i18ncmp`
+ Git 2.31.8
+ Git 2.32.7
+ Git 2.33.8
+ Git 2.34.8
+ Git 2.35.8
+ Git 2.36.6
+ Git 2.37.7
+ Git 2.38.5
+ Git 2.39.3
+
+Johannes Sixt (1):
+ t3920: don't ignore errors of more than one command with `|| true`
+
+Junio C Hamano (4):
+ branch: document `-f` and linked worktree behaviour
+ checkout: document -b/-B to highlight the differences from "git branch"
+ Prepare for 2.39.3 just in case
+ http.c: clear the 'finished' member once we are done with it
+
+Lars Kellogg-Stedman (1):
+ line-range: fix infinite loop bug with '$' regex
+
+Patrick Steinhardt (1):
+ refs: fix corruption by not correctly syncing packed-refs to disk
+
+Philippe Blain (5):
+ git-cherry-pick.txt: do not use 'ORIG_HEAD' in example
+ git-reset.txt: mention 'ORIG_HEAD' in the Description
+ git-merge.txt: mention 'ORIG_HEAD' in the Description
+ revisions.txt: be explicit about commands writing 'ORIG_HEAD'
+ git-rebase.txt: add a note about 'ORIG_HEAD' being overwritten
+
+René Scharfe (10):
+ t4205: don't exit test script on failure
+ list-objects-filter: plug pattern_list leak
+ t3920: support CR-eating grep
+ reflog: clear leftovers in reflog_expiry_cleanup()
+ commit: skip already cleared parents in clear_commit_marks_1()
+ am: don't pass strvec to apply_parse_options()
+ object-file: inline write_buffer()
+ use enhanced basic regular expressions on macOS
+ ls-tree: fix expansion of repeated %(path)
+ ls-tree: remove dead store and strbuf for quote_c_style()
+
+Rubén Justo (1):
+ branch: force-copy a branch to itself via @{-1} is a no-op
+
+Seija Kijin (1):
+ git: remove duplicate includes
+
+Taylor Blau (6):
+ ci: avoid unnecessary builds
+ t1300: demonstrate failure when renaming sections with long lines
+ config: avoid fixed-sized buffer when renaming/deleting a section
+ config.c: avoid integer truncation in `copy_or_rename_section_in_file()`
+ config.c: disallow overly-long lines in `copy_or_rename_section_in_file()`
+ Git 2.30.9
+
+William Sprent (1):
+ dir: check for single file cone patterns
+
+Ævar Arnfjörð Bjarmason (6):
+ t5314: check exit code of "git"
+ t7600: don't ignore "rev-parse" exit code in helper
+ t4023: fix ignored exit codes of git
+ bundle: don't segfault on "git bundle <subcmd>"
+ builtin/bundle.c: remove superfluous "newargc" variable
+ bundle <cmd>: have usage_msg_opt() note the missing "<file>"
+
+
Version v2.39.2; changes since v2.39.1:
---------------------------------------
diff --git a/debian/versions.upstream b/debian/versions.upstream
index 813c4e1..3f04fa9 100644
--- a/debian/versions.upstream
+++ b/debian/versions.upstream
@@ -821,3 +821,6 @@
v2.39.0
v2.39.1
v2.39.2
+v2.39.3
+v2.39.4
+v2.39.5