debian: new upstream point release

Apply the latest batch of security fixes from upstream.

Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
diff --git a/debian/changelog b/debian/changelog
index d4dbf369..23027b5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+git (1:2.39.5-0+deb12u1) bookworm-security; urgency=medium
+
+  * new upstream point release (see RelNotes/2.39.3.txt,
+    RelNotes/2.39.4.txt, RelNotes/2.39.5.txt).  Addresses
+    CVE-2023-25652, CVE-2023-25815, CVE-2023-29007, CVE-2024-32002,
+    CVE-2024-32004, CVE-2024-32020, CVE-2023-32021 (closes:
+    #1071160).
+
+ -- Jonathan Nieder <jrnieder@gmail.com>  Sun, 16 Jun 2024 17:37:10 +0000
+
 git (1:2.39.2-1.1) unstable; urgency=medium
 
   * Non-maintainer upload (only changes to git-doc).
diff --git a/debian/changelog.upstream b/debian/changelog.upstream
index 55b97f3..69a4b86 100644
--- a/debian/changelog.upstream
+++ b/debian/changelog.upstream
@@ -1,3 +1,232 @@
+Version v2.39.5; changes since v2.39.4:
+---------------------------------------
+
+Jeff King (5):
+      send-email: drop FakeTerm hack
+      send-email: avoid creating more than one Term::ReadLine object
+      ci: drop mention of BREW_INSTALL_PACKAGES variable
+      ci: avoid bare "gcc" for osx-gcc job
+      ci: stop installing "gcc-13" for osx-gcc
+
+Johannes Schindelin (6):
+      hook: plug a new memory leak
+      init: use the correct path of the templates directory again
+      Revert "core.hooksPath: add some protection while cloning"
+      tests: verify that `clone -c core.hooksPath=/dev/null` works again
+      clone: drop the protections where hooks aren't run
+      Revert "Add a helper function to compare file contents"
+
+Junio C Hamano (2):
+      Revert "fsck: warn about symlink pointing inside a gitdir"
+      Git 2.39.5
+
+
+Version v2.39.4; changes since v2.39.3:
+---------------------------------------
+
+Filip Hejsek (4):
+      t0411: add tests for cloning from partial repo
+      has_dir_name(): do not get confused by characters < '/'
+      t7423: add tests for symlinked submodule directories
+      clone: prevent clashing git dirs when cloning submodule in parallel
+
+Jeff Hostetler (1):
+      fsmonitor: eliminate call to deprecated FSEventStream function
+
+Jeff King (29):
+      t/lib-httpd: bump required apache version to 2.2
+      t/lib-httpd: bump required apache version to 2.4
+      t/lib-httpd: drop SSLMutex config
+      t/lib-httpd: increase ssl key size to 2048 bits
+      t5541: run "used receive-pack service" test earlier
+      t5541: stop marking "used receive-pack service" test as v0 only
+      t5541: simplify and move "no empty path components" test
+      t5551: drop redundant grep for Accept-Language
+      t5551: lower-case headers in expected curl trace
+      t5551: handle HTTP/2 when checking curl trace
+      t5551: stop forcing clone to run with v0 protocol
+      t5551: handle v2 protocol when checking curl trace
+      t5551: handle v2 protocol in upload-pack service test
+      t5551: simplify expected cookie file
+      t5551: handle v2 protocol in cookie test
+      t5551: drop curl trace lines without headers
+      t/lib-httpd: respect $HTTPD_PROTO in expect_askpass()
+      t/lib-httpd: enable HTTP/2 "h2" protocol, not just h2c
+      t5559: fix test failures with LIB_HTTPD_SSL
+      t5559: make SSL/TLS the default
+      http: handle both "h2" and "h2h3" in curl info lines
+      http: factor out matching of curl http/2 trace lines
+      http: update curl http/2 info matching for curl 8.3.0
+      http: reset POSTFIELDSIZE when clearing curl handle
+      INSTALL: bump libcurl version to 7.21.3
+      remote-curl: add Transfer-Encoding header only for older curl
+      test-lib: ignore uninteresting LSan output
+      upload-pack: disable lazy-fetching by default
+      docs: document security issues around untrusted .git dirs
+
+Johannes Schindelin (19):
+      ci: upgrade to using macos-13
+      ci(linux-asan/linux-ubsan): let's save some time
+      ci: bump remaining outdated Actions versions
+      ci(linux32): add a note about Actions that must not be updated
+      fetch/clone: detect dubious ownership of local repositories
+      submodules: submodule paths must not contain symlinks
+      clone_submodule: avoid using `access()` on directories
+      submodule: require the submodule path to contain directories only
+      t5510: verify that D/F confusion cannot lead to an RCE
+      entry: report more colliding paths
+      clone: when symbolic links collide with directories, keep the latter
+      find_hook(): refactor the `STRIP_EXTENSION` logic
+      init: refactor the template directory discovery into its own function
+      Add a helper function to compare file contents
+      clone: prevent hooks from running during a clone
+      init.templateDir: consider this config setting protected
+      core.hooksPath: add some protection while cloning
+      fsck: warn about symlink pointing inside a gitdir
+      Git 2.39.4
+
+Junio C Hamano (2):
+      GitHub Actions: update to checkout@v4
+      GitHub Actions: update to github-script@v7
+
+Patrick Steinhardt (4):
+      builtin/clone: stop resolving symlinks when copying files
+      builtin/clone: abort when hardlinked source and target file differ
+      setup.c: introduce `die_upon_dubious_ownership()`
+      builtin/clone: refuse local clones of unsafe repositories
+
+
+Version v2.39.3; changes since v2.39.2:
+---------------------------------------
+
+Chris. Webster (3):
+      ci (check-whitespace): suggest fixes for errors
+      ci (check-whitespace): add links to job output
+      ci (check-whitespace): move to actions/checkout@v3
+
+Derrick Stolee (1):
+      ci: update 'static-analysis' to Ubuntu 22.04
+
+Eric Sunshine (1):
+      githooks: discuss Git operations in foreign repositories
+
+Jeff King (25):
+      git-compat-util: avoid redefining system function names
+      git-compat-util: undefine system names before redeclaring them
+      server_supports_v2(): use a separate function for die_on_error
+      ls-refs: use repository parameter to iterate refs
+      blob: drop unused parts of parse_blob_buffer()
+      list-objects: drop process_gitlink() function
+      ws: drop unused parameter from ws_blank_line()
+      xdiff: drop unused parameter in def_ff()
+      xdiff: mark unused parameter in xdl_call_hunk_func()
+      diff: mark unused parameters in callbacks
+      list-objects-filter: mark unused parameters in virtual functions
+      userdiff: mark unused parameter in internal callback
+      diff: use filespec path to set up tempfiles for ext-diff
+      diff: clean up external-diff argv setup
+      diff: drop "name" parameter from prepare_temp_file()
+      http-push: prefer CURLOPT_UPLOAD to CURLOPT_PUT
+      http: prefer CURLOPT_SEEKFUNCTION to CURLOPT_IOCTLFUNCTION
+      http: support CURLOPT_PROTOCOLS_STR
+      http-push: prefer CURLOPT_UPLOAD to CURLOPT_PUT
+      http: prefer CURLOPT_SEEKFUNCTION to CURLOPT_IOCTLFUNCTION
+      range-diff: drop useless "offset" variable from read_patches()
+      http: support CURLOPT_PROTOCOLS_STR
+      range-diff: handle unterminated lines in read_patches()
+      range-diff: use ssize_t for parsed "len" in read_patches()
+      Makefile: force -O0 when compiling with SANITIZE=leak
+
+Jiang Xin (4):
+      github-actions: run gcc-8 on ubuntu-20.04 image
+      ci: remove the pipe after "p4 -V" to catch errors
+      ci: use the same version of p4 on both Linux and macOS
+      ci: install python on ubuntu
+
+Johannes Schindelin (22):
+      ci: only run win+VS build & tests in Git for Windows' fork
+      compat/win32/syslog: fix use-after-realloc
+      nedmalloc: avoid new compile error
+      t0033: GETTEXT_POISON fix
+      t0003: GETTEXT_POISON fix, part 1
+      t0003: GETTEXT_POISON fix, conclusion
+      t5619: GETTEXT_POISON fix
+      t5604: GETTEXT_POISON fix, part 1
+      t5604: GETTEXT_POISON fix, conclusion
+      clone.c: avoid "exceeds maximum object size" error with GCC v12.x
+      apply --reject: overwrite existing `.rej` symlink if it exists
+      gettext: avoid using gettext if the locale dir is not present
+      tests: avoid using `test_i18ncmp`
+      Git 2.31.8
+      Git 2.32.7
+      Git 2.33.8
+      Git 2.34.8
+      Git 2.35.8
+      Git 2.36.6
+      Git 2.37.7
+      Git 2.38.5
+      Git 2.39.3
+
+Johannes Sixt (1):
+      t3920: don't ignore errors of more than one command with `|| true`
+
+Junio C Hamano (4):
+      branch: document `-f` and linked worktree behaviour
+      checkout: document -b/-B to highlight the differences from "git branch"
+      Prepare for 2.39.3 just in case
+      http.c: clear the 'finished' member once we are done with it
+
+Lars Kellogg-Stedman (1):
+      line-range: fix infinite loop bug with '$' regex
+
+Patrick Steinhardt (1):
+      refs: fix corruption by not correctly syncing packed-refs to disk
+
+Philippe Blain (5):
+      git-cherry-pick.txt: do not use 'ORIG_HEAD' in example
+      git-reset.txt: mention 'ORIG_HEAD' in the Description
+      git-merge.txt: mention 'ORIG_HEAD' in the Description
+      revisions.txt: be explicit about commands writing 'ORIG_HEAD'
+      git-rebase.txt: add a note about 'ORIG_HEAD' being overwritten
+
+René Scharfe (10):
+      t4205: don't exit test script on failure
+      list-objects-filter: plug pattern_list leak
+      t3920: support CR-eating grep
+      reflog: clear leftovers in reflog_expiry_cleanup()
+      commit: skip already cleared parents in clear_commit_marks_1()
+      am: don't pass strvec to apply_parse_options()
+      object-file: inline write_buffer()
+      use enhanced basic regular expressions on macOS
+      ls-tree: fix expansion of repeated %(path)
+      ls-tree: remove dead store and strbuf for quote_c_style()
+
+Rubén Justo (1):
+      branch: force-copy a branch to itself via @{-1} is a no-op
+
+Seija Kijin (1):
+      git: remove duplicate includes
+
+Taylor Blau (6):
+      ci: avoid unnecessary builds
+      t1300: demonstrate failure when renaming sections with long lines
+      config: avoid fixed-sized buffer when renaming/deleting a section
+      config.c: avoid integer truncation in `copy_or_rename_section_in_file()`
+      config.c: disallow overly-long lines in `copy_or_rename_section_in_file()`
+      Git 2.30.9
+
+William Sprent (1):
+      dir: check for single file cone patterns
+
+Ævar Arnfjörð Bjarmason (6):
+      t5314: check exit code of "git"
+      t7600: don't ignore "rev-parse" exit code in helper
+      t4023: fix ignored exit codes of git
+      bundle: don't segfault on "git bundle <subcmd>"
+      builtin/bundle.c: remove superfluous "newargc" variable
+      bundle <cmd>: have usage_msg_opt() note the missing "<file>"
+
+
 Version v2.39.2; changes since v2.39.1:
 ---------------------------------------
 
diff --git a/debian/versions.upstream b/debian/versions.upstream
index 813c4e1..3f04fa9 100644
--- a/debian/versions.upstream
+++ b/debian/versions.upstream
@@ -821,3 +821,6 @@
 v2.39.0
 v2.39.1
 v2.39.2
+v2.39.3
+v2.39.4
+v2.39.5