SUSE: 2020:1121-1 moderate: git
Summary
This update for git fixes the following issues:
Security issues fixed:
* CVE-2020-11008: Specially crafted URLs may have tricked the credentials
helper to providing credential information that is not appropriate for
the protocol in use and host being contacted (bsc#1169936)
git was updated to 2.26.1 (bsc#1169786, jsc#ECO-1628, bsc#1149792)
- Fix git-daemon not starting after conversion from sysvinit to systemd
service (bsc#1169605).
* CVE-2020-5260: Specially crafted URLs with newline characters could have
been used to make the Git client to send credential information for a
wrong host to the attacker's site bsc#1168930
git 2.26.0 (bsc#1167890, jsc#SLE-11608):
* "git rebase" now uses a different backend that is based on the 'merge'
machinery by default. The 'rebase.backend' configuration variable
reverts to old behaviour when set to 'apply'
* Improved handling of sparse checkouts
* Improvements to many commands and internal features
git 2.25.2:
* bug fixes to various subcommands in specific operations
git 2.25.1:
* "git commit" now honors advise.statusHints
* various updates, bug fixes and documentation updates
git 2.25.0
* The branch description ("git branch --edit-description") has been used
to fill the body of the cover letters by the format-patch command; this
has been enhanced so that the subject can also be filled.
* A few commands learned to take the pathspec from the standard input
or a named file, instead of taking it as the command line arguments,
with the "--pathspec-from-file" option.
* Test updates to prepare for SHA-2 transition continues.
* Redo "git name-rev" to avoid recursive calls.
* When all files from some subdirectory were renamed to the root
directory, the directory rename heuristics would fail to detect that as
a rename/merge of the subdirectory to the root directory, which has been
corrected.
* HTTP transport had possible allocator/deallocator mismatch, which has
been corrected.
git 2.24.1:
* CVE-2019-1348: The --export-marks option of fast-import is exposed also
via the in-stream command feature export-marks=... and it allows
overwriting arbitrary paths (bsc#1158785)
* CVE-2019-1349: on Windows, when submodules are cloned recursively, under
certain circumstances Git could be fooled into using the same Git
directory twice (bsc#1158787)
* CVE-2019-1350: Incorrect quoting of command-line arguments allowed
remote code execution during a recursive clone in conjunction with SSH
URLs (bsc#1158788)
* CVE-2019-1351: on Windows mistakes drive letters outside of the
US-English alphabet as relative paths (bsc#1158789)
* CVE-2019-1352: on Windows was unaware of NTFS Alternate Data Streams
(bsc#1158790)
* CVE-2019-1353: when run in the Windows Subsystem for Linux while
accessing a working directory on a regular Windows drive, none of the
NTFS protections were active (bsc#1158791)
* CVE-2019-1354: on Windows refuses to write tracked files with filenames
that contain backslashes (bsc#1158792)
* CVE-2019-1387: Recursive clones vulnerability that is caused by too-lax
validation of submodule names, allowing very targeted attacks via remote
code execution in recursive clones (bsc#1158793)
* CVE-2019-19604: a recursive clone followed by a submodule update could
execute code contained within the repository without the user explicitly
having asked for that (bsc#1158795)
git 2.24.0
* The command line parser learned "--end-of-options" notation.
* A mechanism to affect the default setting for a (related) group of
configuration variables is introduced.
* "git fetch" learned "--set-upstream" option to help those who first
clone from their private fork they intend to push to, add the true
upstream via "git remote add" and then "git fetch" from it.
* fixes and improvements to UI, workflow and features, bash completion
fixes
git 2.23.0:
* The "--base" option of "format-patch" computed the patch-ids for
prerequisite patches in an unstable way, which has been updated to
compute in a way that is compatible with "git patch-id
--stable".
* The "git log" command by default behaves as if the --mailmap
option was given.
* fixes and improvements to UI, workflow and features
git 2.22.1
* A relative pathname given to "git init --template=
References
#1063412 #1095218 #1095219 #1110949 #1112230
#1114225 #1132350 #1149792 #1156651 #1158785
#1158787 #1158788 #1158789 #1158790 #1158791
#1158792 #1158793 #1158795 #1167890 #1168930
#1169605 #1169786 #1169936
Cross- CVE-2017-15298 CVE-2018-11233 CVE-2018-11235
CVE-2018-17456 CVE-2019-1348 CVE-2019-1349
CVE-2019-1350 CVE-2019-1351 CVE-2019-1352
CVE-2019-1353 CVE-2019-1354 CVE-2019-1387
CVE-2019-19604 CVE-2020-11008 CVE-2020-5260
Affected Products:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1
SUSE Linux Enterprise Module for Development Tools 15-SP1
SUSE Linux Enterprise Module for Basesystem 15-SP1
https://www.suse.com/security/cve/CVE-2017-15298.html
https://www.suse.com/security/cve/CVE-2018-11233.html
https://www.suse.com/security/cve/CVE-2018-11235.html
https://www.suse.com/security/cve/CVE-2018-17456.html
https://www.suse.com/security/cve/CVE-2019-1348.html
https://www.suse.com/security/cve/CVE-2019-1349.html
https://www.suse.com/security/cve/CVE-2019-1350.html
https://www.suse.com/security/cve/CVE-2019-1351.html
https://www.suse.com/security/cve/CVE-2019-1352.html
https://www.suse.com/security/cve/CVE-2019-1353.html
https://www.suse.com/security/cve/CVE-2019-1354.html
https://www.suse.com/security/cve/CVE-2019-1387.html
https://www.suse.com/security/cve/CVE-2019-19604.html
https://www.suse.com/security/cve/CVE-2020-11008.html
https://www.suse.com/security/cve/CVE-2020-5260.html
https://bugzilla.suse.com/1063412
https://bugzilla.suse.com/1095218
https://bugzilla.suse.com/1095219
https://bugzilla.suse.com/1110949
https://bugzilla.suse.com/1112230
https://bugzilla.suse.com/1114225
https://bugzilla.suse.com/1132350
https://bugzilla.suse.com/1149792
https://bugzilla.suse.com/1156651
https://bugzilla.suse.com/1158785
https://bugzilla.suse.com/1158787
https://bugzilla.suse.com/1158788
https://bugzilla.suse.com/1158789
https://bugzilla.suse.com/1158790
https://bugzilla.suse.com/1158791
https://bugzilla.suse.com/1158792
https://bugzilla.suse.com/1158793
https://bugzilla.suse.com/1158795
https://bugzilla.suse.com/1167890
https://bugzilla.suse.com/1168930
https://bugzilla.suse.com/1169605
https://bugzilla.suse.com/1169786
https://bugzilla.suse.com/1169936