From: Tim Orling Date: Mon, 24 Oct 2022 17:07:20 +0000 (-0700) Subject: git: upgrade 2.37.3 -> 2.38.1 X-Git-Tag: lucaceresoli/bug-15201-perf-libtraceevent-missing~2731 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b304768711374066db320fe87960be81f54a8424;p=thirdparty%2Fopenembedded%2Fopenembedded-core-contrib.git git: upgrade 2.37.3 -> 2.38.1 Fixes CVE-2022-39260 Git v2.38.1 Release Notes ========================= This release merges the security fix that appears in v2.30.6; see the release notes for that version for details. Excerpt from 2.30.6 release notes: * CVE-2022-39260: An overly-long command string given to `git shell` can result in overflow in `split_cmdline()`, leading to arbitrary heap writes and remote code execution when `git shell` is exposed and the directory `$HOME/git-shell-commands` exists. `git shell` is taught to refuse interactive commands that are longer than 4MiB in size. `split_cmdline()` is hardened to reject inputs larger than 2GiB. Credit for finding CVE-2022-39260 goes to Kevin Backhouse of GitHub. The fix was authored by Kevin Backhouse, Jeff King, and Taylor Blau. For 2.38.0 changes, see: https://github.com/git/git/blob/master/Documentation/RelNotes/2.38.0.txt Signed-off-by: Tim Orling Signed-off-by: Alexandre Belloni --- diff --git a/meta/recipes-devtools/git/git_2.37.3.bb b/meta/recipes-devtools/git/git_2.38.1.bb similarity index 98% rename from meta/recipes-devtools/git/git_2.37.3.bb rename to meta/recipes-devtools/git/git_2.38.1.bb index 2eed85e807f..033e36ae16f 100644 --- a/meta/recipes-devtools/git/git_2.37.3.bb +++ b/meta/recipes-devtools/git/git_2.38.1.bb @@ -165,4 +165,4 @@ EXTRA_OECONF += "ac_cv_snprintf_returns_bogus=no \ " EXTRA_OEMAKE += "NO_GETTEXT=1" -SRC_URI[tarball.sha256sum] = "181f65587155ea48c682f63135678ec53055adf1532428752912d356e46b64a8" +SRC_URI[tarball.sha256sum] = "620ed3df572a34e782a2be4c7d958d443469b2665eac4ae33f27da554d88b270"