<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/poky.git/meta/recipes-devtools/git, branch yocto-4.0.12</title>
<subtitle>Mirror of git.yoctoproject.org/poky</subtitle>
<id>https://git.enea.com/cgit/linux/poky.git/atom?h=yocto-4.0.12</id>
<link rel='self' href='https://git.enea.com/cgit/linux/poky.git/atom?h=yocto-4.0.12'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/'/>
<updated>2023-05-30T14:11:15+00:00</updated>
<entry>
<title>git: ignore CVE-2023-25815</title>
<updated>2023-05-30T14:11:15+00:00</updated>
<author>
<name>Archana Polampalli</name>
<email>archana.polampalli@windriver.com</email>
</author>
<published>2023-05-22T07:36:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=f72863d66e8d4588f53253283e50fb474afa2ebb'/>
<id>urn:sha1:f72863d66e8d4588f53253283e50fb474afa2ebb</id>
<content type='text'>
This is specific to Git-for-Windows.

(From OE-Core rev: 472a3e05270deace2862973dee2e65e60f9c0c19)

Signed-off-by: Archana Polampalli &lt;archana.polampalli@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>git: fix CVE-2023-25652</title>
<updated>2023-05-12T14:04:52+00:00</updated>
<author>
<name>Archana Polampalli</name>
<email>archana.polampalli@windriver.com</email>
</author>
<published>2023-05-07T08:09:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=6d618c1b8b64cf285aa6878c9b0fd61a7c7757cf'/>
<id>urn:sha1:6d618c1b8b64cf285aa6878c9b0fd61a7c7757cf</id>
<content type='text'>
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7,
2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding
specially crafted input to `git apply --reject`, a path outside the working
tree can be overwritten with partially controlled contents (corresponding to
the rejected hunk(s) from the given patch). A fix is available in versions
2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3,
and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying
patches from an untrusted source. Use `git apply --stat` to inspect a patch before
applying; avoid applying one that create a conflict where a link corresponding to
the `*.rej` file exists.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-25652

Upstream patches:
https://github.com/git/git/commit/9db05711c98efc14f414d4c87135a34c13586e0b

(From OE-Core rev: 335ad8a6d795cd94b872370e44a033ce3fbf4890)

Signed-off-by: Archana Polampalli &lt;archana.polampalli@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>git: fix CVE-2023-29007</title>
<updated>2023-05-12T14:04:52+00:00</updated>
<author>
<name>Archana Polampalli</name>
<email>archana.polampalli@windriver.com</email>
</author>
<published>2023-05-07T08:08:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=04316b4f470e28cdb47f49e84e5f9848ccb5368c'/>
<id>urn:sha1:04316b4f470e28cdb47f49e84e5f9848ccb5368c</id>
<content type='text'>
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8,
2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted
`.gitmodules` file with submodule URLs that are longer than 1024 characters can used
to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug
can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when
attempting to remove the configuration section associated with that submodule. When the
attacker injects configuration values which specify executables to run (such as
`core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code
execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8,
2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running
`git submodule deinit` on untrusted repositories or without prior inspection of any
submodule sections in `$GIT_DIR/config`.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-29007

Upstream patches:
https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4
https://github.com/git/git/commit/29198213c9163c1d552ee2bdbf78d2b09ccc98b8
https://github.com/git/git/commit/a5bb10fd5e74101e7c07da93e7c32bbe60f6173a
https://github.com/git/git/commit/e91cfe6085c4a61372d1f800b473b73b8d225d0d
https://github.com/git/git/commit/3bb3d6bac5f2b496dfa2862dc1a84cbfa9b4449a

(From OE-Core rev: 1b55343b6346437b80b8a8180ae1bc9f480d92ef)

Signed-off-by: Archana Polampalli &lt;archana.polampalli@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>git: ignore CVE-2023-22743</title>
<updated>2023-03-28T21:31:53+00:00</updated>
<author>
<name>Chee Yang Lee</name>
<email>chee.yang.lee@intel.com</email>
</author>
<published>2023-03-18T11:58:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=343ed537c3ae1e740b9e2a8fa3b3a210ade5dccf'/>
<id>urn:sha1:343ed537c3ae1e740b9e2a8fa3b3a210ade5dccf</id>
<content type='text'>
(From OE-Core rev: 8a8a86076f9eed36b7f4c831ad8882d07de62e8e)

Signed-off-by: Chee Yang Lee &lt;chee.yang.lee@intel.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
(cherry picked from commit 70adf86b515934168a6185dcff4a8edb39a40017)
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>git: upgrade 2.35.6 -&gt; 2.35.7</title>
<updated>2023-02-24T16:41:46+00:00</updated>
<author>
<name>Sakib Sajal</name>
<email>sakib.sajal@windriver.com</email>
</author>
<published>2023-02-15T21:42:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=cd38b687c4a7a25fc3f7f6086e36f1ec3a2bcc3d'/>
<id>urn:sha1:cd38b687c4a7a25fc3f7f6086e36f1ec3a2bcc3d</id>
<content type='text'>
Upgrade git to latest 2.37.x release to address
security issues CVE-2022-23521 and CVE-2022-41903.

(From OE-Core rev: 0e7de5066491bc9b860ad4d65965d6f848898aff)

Signed-off-by: Sakib Sajal &lt;sakib.sajal@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>git: ignore CVE-2022-41953</title>
<updated>2023-02-15T21:46:55+00:00</updated>
<author>
<name>Ross Burton</name>
<email>ross.burton@arm.com</email>
</author>
<published>2023-01-30T12:07:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=aefb39658a2660d083723d656a019145dfa9b301'/>
<id>urn:sha1:aefb39658a2660d083723d656a019145dfa9b301</id>
<content type='text'>
This is specific to Git-for-Windows.

(From OE-Core rev: 72438f0a54296a12cfd770c5c67b1e038f019dee)

Signed-off-by: Ross Burton &lt;ross.burton@arm.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit c8849af809e0213d43e18e5d01067eeeb61b330d)
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>git: upgrade to 2.35.6</title>
<updated>2023-02-15T21:46:55+00:00</updated>
<author>
<name>Chee Yang Lee</name>
<email>chee.yang.lee@intel.com</email>
</author>
<published>2023-02-10T05:35:43+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=21f5304a57d0f64d797dbbfce13d820fc966cf52'/>
<id>urn:sha1:21f5304a57d0f64d797dbbfce13d820fc966cf52</id>
<content type='text'>
upgrade include fix for CVE-2022-23521 and CVE-2022-41903

(From OE-Core rev: d21b033c2f8890989729bc1468254c9298f9a518)

Signed-off-by: Chee Yang Lee &lt;chee.yang.lee@intel.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>git: upgrade 2.35.4 -&gt; 2.35.5</title>
<updated>2022-10-29T15:32:24+00:00</updated>
<author>
<name>Tim Orling</name>
<email>ticotimo@gmail.com</email>
</author>
<published>2022-10-24T19:01:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=35d24e67138975945024c548e1860b52e1bdd94e'/>
<id>urn:sha1:35d24e67138975945024c548e1860b52e1bdd94e</id>
<content type='text'>
This release addresses the security issues CVE-2022-39253 and
CVE-2022-39260.

 * CVE-2022-39253:
   When relying on the `--local` clone optimization, Git dereferences
   symbolic links in the source repository before creating hardlinks
   (or copies) of the dereferenced link in the destination repository.
   This can lead to surprising behavior where arbitrary files are
   present in a repository's `$GIT_DIR` when cloning from a malicious
   repository.

   Git will no longer dereference symbolic links via the `--local`
   clone mechanism, and will instead refuse to clone repositories that
   have symbolic links present in the `$GIT_DIR/objects` directory.

   Additionally, the value of `protocol.file.allow` is changed to be
   "user" by default.

 * CVE-2022-39260:
   An overly-long command string given to `git shell` can result in
   overflow in `split_cmdline()`, leading to arbitrary heap writes and
   remote code execution when `git shell` is exposed and the directory
   `$HOME/git-shell-commands` exists.

   `git shell` is taught to refuse interactive commands that are
   longer than 4MiB in size. `split_cmdline()` is hardened to reject
   inputs larger than 2GiB.

Credit for finding CVE-2022-39253 goes to Cory Snider of Mirantis. The
fix was authored by Taylor Blau, with help from Johannes Schindelin.

Credit for finding CVE-2022-39260 goes to Kevin Backhouse of GitHub.
The fix was authored by Kevin Backhouse, Jeff King, and Taylor Blau.

(From OE-Core rev: 43badfadb92a1d6684801f81fa2ed9c8b5652bb6)

Signed-off-by: Tim Orling &lt;tim.orling@konsulko.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>git: upgrade v2.35.3 -&gt; v2.35.4</title>
<updated>2022-08-01T15:27:30+00:00</updated>
<author>
<name>Sakib Sajal</name>
<email>sakib.sajal@windriver.com</email>
</author>
<published>2022-07-26T05:37:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=db4ce356a84df1a50ae95df17c172a36d0023975'/>
<id>urn:sha1:db4ce356a84df1a50ae95df17c172a36d0023975</id>
<content type='text'>
Minor upgrade which includes fix for CVE-2022-29187.

(From OE-Core rev: 11943acaacd9b81b09ca378f40b17c393d33cb4b)

Signed-off-by: Sakib Sajal &lt;sakib.sajal@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>git: fix override syntax in RDEPENDS</title>
<updated>2022-06-22T22:46:29+00:00</updated>
<author>
<name>Yi Zhao</name>
<email>yi.zhao@windriver.com</email>
</author>
<published>2022-06-14T02:42:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=53e89f549977e75e90d4cf3019e35697d0907068'/>
<id>urn:sha1:53e89f549977e75e90d4cf3019e35697d0907068</id>
<content type='text'>
RDEPENDS_${PN}-tk -&gt; RDEPENDS:${PN}-tk

(From OE-Core rev: 025d22e9c90ec0a46c1295149f1d43187c76cbe9)

Signed-off-by: Yi Zhao &lt;yi.zhao@windriver.com&gt;
Signed-off-by: Alexandre Belloni &lt;alexandre.belloni@bootlin.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit 1ed9267a318d53a302991a8ec7259d3bb809eaaa)
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
</feed>
