made the pack completely portable and wrote relevent bat files to go with it
This commit is contained in:
Draqoken
65
gitportable/mingw64/share/doc/git-doc/RelNotes/2.37.4.adoc
Normal file
65
gitportable/mingw64/share/doc/git-doc/RelNotes/2.37.4.adoc
Normal file
@@ -0,0 +1,65 @@
|
||||
Git 2.37.4 Release Notes
|
||||
========================
|
||||
|
||||
This primarily is to backport various fixes accumulated on the 'master'
|
||||
front since 2.37.3, and also includes the same security fixes as in
|
||||
v2.30.6.
|
||||
|
||||
Fixes since v2.37.3
|
||||
-------------------
|
||||
|
||||
* CVE-2022-39253:
|
||||
When relying on the `--local` clone optimization, Git dereferences
|
||||
symbolic links in the source repository before creating hardlinks
|
||||
(or copies) of the dereferenced link in the destination repository.
|
||||
This can lead to surprising behavior where arbitrary files are
|
||||
present in a repository's `$GIT_DIR` when cloning from a malicious
|
||||
repository.
|
||||
|
||||
Git will no longer dereference symbolic links via the `--local`
|
||||
clone mechanism, and will instead refuse to clone repositories that
|
||||
have symbolic links present in the `$GIT_DIR/objects` directory.
|
||||
|
||||
Additionally, the value of `protocol.file.allow` is changed to be
|
||||
"user" by default.
|
||||
|
||||
Credit for finding CVE-2022-39253 goes to Cory Snider of Mirantis.
|
||||
The fix was authored by Taylor Blau, with help from Johannes
|
||||
Schindelin.
|
||||
|
||||
* CVE-2022-39260:
|
||||
An overly-long command string given to `git shell` can result in
|
||||
overflow in `split_cmdline()`, leading to arbitrary heap writes and
|
||||
remote code execution when `git shell` is exposed and the directory
|
||||
`$HOME/git-shell-commands` exists.
|
||||
|
||||
`git shell` is taught to refuse interactive commands that are
|
||||
longer than 4MiB in size. `split_cmdline()` is hardened to reject
|
||||
inputs larger than 2GiB.
|
||||
|
||||
Credit for finding CVE-2022-39260 goes to Kevin Backhouse of
|
||||
GitHub. The fix was authored by Kevin Backhouse, Jeff King, and
|
||||
Taylor Blau.
|
||||
|
||||
* An earlier optimization discarded a tree-object buffer that is
|
||||
still in use, which has been corrected.
|
||||
|
||||
* Fix deadlocks between main Git process and subprocess spawned via
|
||||
the pipe_command() API, that can kill "git add -p" that was
|
||||
reimplemented in C recently.
|
||||
|
||||
* xcalloc(), imitating calloc(), takes "number of elements of the
|
||||
array", and "size of a single element", in this order. A call that
|
||||
does not follow this ordering has been corrected.
|
||||
|
||||
* The preload-index codepath made copies of pathspec to give to
|
||||
multiple threads, which were left leaked.
|
||||
|
||||
* Update the version of Ubuntu used for GitHub Actions CI from 18.04
|
||||
to 22.04.
|
||||
|
||||
* The auto-stashed local changes created by "git merge --autostash"
|
||||
was mixed into a conflicted state left in the working tree, which
|
||||
has been corrected.
|
||||
|
||||
Also contains other minor documentation updates and code clean-ups.
|
||||
Reference in New Issue
Block a user