Hello community, here is the log from the commit of package git for openSUSE:Factory checked in at 2015-05-02 17:24:46 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/git (Old) and /work/SRC/openSUSE:Factory/.git.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "git" Changes: -------- --- /work/SRC/openSUSE:Factory/git/git.changes 2015-04-28 20:47:57.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.git.new/git.changes 2015-05-02 17:24:46.000000000 +0200 @@ -1,0 +2,15 @@ +Tue Apr 28 15:56:38 UTC 2015 - [email protected] + +- git 2.3.7: + * An earlier update to the parser that disects a URL broke an + address, followed by a colon, followed by an empty string (instead + of the port number), e.g. ssh://example.com:/path/to/repo. + * The completion script (in contrib/) contaminated global namespace + and clobbered on a shell variable $x. + * The "git push --signed" protocol extension did not limit what the + "nonce" that is a server-chosen string can contain or how long it + can be, which was unnecessarily lax. Limit both the length and the + alphabet to a reasonably small space that can still have enough + entropy. + +------------------------------------------------------------------- Old: ---- git-2.3.6.tar.xz New: ---- git-2.3.7.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ git.spec ++++++ --- /var/tmp/diff_new_pack.uaujAe/_old 2015-05-02 17:24:47.000000000 +0200 +++ /var/tmp/diff_new_pack.uaujAe/_new 2015-05-02 17:24:47.000000000 +0200 @@ -26,7 +26,7 @@ %endif Name: git -Version: 2.3.6 +Version: 2.3.7 Release: 0 Summary: Fast, scalable, distributed revision control system License: GPL-2.0 ++++++ git-2.3.6.tar.xz -> git-2.3.7.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.3.6/Documentation/RelNotes/2.3.7.txt new/git-2.3.7/Documentation/RelNotes/2.3.7.txt --- old/git-2.3.6/Documentation/RelNotes/2.3.7.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/git-2.3.7/Documentation/RelNotes/2.3.7.txt 2015-04-27 21:29:33.000000000 +0200 @@ -0,0 +1,21 @@ +Git v2.3.7 Release Notes +======================== + +Fixes since v2.3.6 +------------------ + + * An earlier update to the parser that disects a URL broke an + address, followed by a colon, followed by an empty string (instead + of the port number), e.g. ssh://example.com:/path/to/repo. + + * The completion script (in contrib/) contaminated global namespace + and clobbered on a shell variable $x. + + * The "git push --signed" protocol extension did not limit what the + "nonce" that is a server-chosen string can contain or how long it + can be, which was unnecessarily lax. Limit both the length and the + alphabet to a reasonably small space that can still have enough + entropy. + +Also contains typofixes, documentation updates and trivial code +clean-ups. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.3.6/Documentation/git.txt new/git-2.3.7/Documentation/git.txt --- old/git-2.3.6/Documentation/git.txt 2015-04-21 23:09:37.000000000 +0200 +++ new/git-2.3.7/Documentation/git.txt 2015-04-27 21:29:33.000000000 +0200 @@ -43,9 +43,10 @@ branch of the `git.git` repository. Documentation for older releases are available here: -* link:v2.3.6/git.html[documentation for release 2.3.6] +* link:v2.3.7/git.html[documentation for release 2.3.7] * release notes for + link:RelNotes/2.3.7.txt[2.3.7], link:RelNotes/2.3.6.txt[2.3.6], link:RelNotes/2.3.5.txt[2.3.5], link:RelNotes/2.3.4.txt[2.3.4], diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.3.6/GIT-VERSION-GEN new/git-2.3.7/GIT-VERSION-GEN --- old/git-2.3.6/GIT-VERSION-GEN 2015-04-21 23:09:37.000000000 +0200 +++ new/git-2.3.7/GIT-VERSION-GEN 2015-04-27 21:29:33.000000000 +0200 @@ -1,7 +1,7 @@ #!/bin/sh GVF=GIT-VERSION-FILE -DEF_VER=v2.3.6 +DEF_VER=v2.3.7 LF=' ' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.3.6/RelNotes new/git-2.3.7/RelNotes --- old/git-2.3.6/RelNotes 2015-05-02 17:24:49.000000000 +0200 +++ new/git-2.3.7/RelNotes 2015-05-02 17:24:49.000000000 +0200 @@ -1 +1 @@ -symbolic link to Documentation/RelNotes/2.3.6.txt +symbolic link to Documentation/RelNotes/2.3.7.txt diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.3.6/configure new/git-2.3.7/configure --- old/git-2.3.6/configure 2015-04-21 23:09:38.000000000 +0200 +++ new/git-2.3.7/configure 2015-04-27 21:29:33.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for git 2.3.6. +# Generated by GNU Autoconf 2.69 for git 2.3.7. # # Report bugs to <[email protected]>. # @@ -580,8 +580,8 @@ # Identity of this package. PACKAGE_NAME='git' PACKAGE_TARNAME='git' -PACKAGE_VERSION='2.3.6' -PACKAGE_STRING='git 2.3.6' +PACKAGE_VERSION='2.3.7' +PACKAGE_STRING='git 2.3.7' PACKAGE_BUGREPORT='[email protected]' PACKAGE_URL='' @@ -1251,7 +1251,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures git 2.3.6 to adapt to many kinds of systems. +\`configure' configures git 2.3.7 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1312,7 +1312,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of git 2.3.6:";; + short | recursive ) echo "Configuration of git 2.3.7:";; esac cat <<\_ACEOF @@ -1451,7 +1451,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -git configure 2.3.6 +git configure 2.3.7 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1931,7 +1931,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by git $as_me 2.3.6, which was +It was created by git $as_me 2.3.7, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -8044,7 +8044,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by git $as_me 2.3.6, which was +This file was extended by git $as_me 2.3.7, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -8101,7 +8101,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -git config.status 2.3.6 +git config.status 2.3.7 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.3.6/connect.c new/git-2.3.7/connect.c --- old/git-2.3.6/connect.c 2015-04-21 23:09:37.000000000 +0200 +++ new/git-2.3.7/connect.c 2015-04-27 21:29:33.000000000 +0200 @@ -310,6 +310,8 @@ if (end != colon + 1 && *end == '\0' && 0 <= portnr && portnr < 65536) { *colon = 0; *port = colon + 1; + } else if (!colon[1]) { + *colon = 0; } } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.3.6/contrib/completion/git-completion.bash new/git-2.3.7/contrib/completion/git-completion.bash --- old/git-2.3.6/contrib/completion/git-completion.bash 2015-04-21 23:09:37.000000000 +0200 +++ new/git-2.3.7/contrib/completion/git-completion.bash 2015-04-27 21:29:33.000000000 +0200 @@ -186,7 +186,7 @@ __gitcompappend () { - local i=${#COMPREPLY[@]} + local x i=${#COMPREPLY[@]} for x in $1; do if [[ "$x" == "$3"* ]]; then COMPREPLY[i++]="$2$x$4" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.3.6/git.spec new/git-2.3.7/git.spec --- old/git-2.3.6/git.spec 2015-04-21 23:09:38.000000000 +0200 +++ new/git-2.3.7/git.spec 2015-04-27 21:29:33.000000000 +0200 @@ -1,7 +1,7 @@ # Pass --without docs to rpmbuild if you don't want the documentation Name: git -Version: 2.3.6 +Version: 2.3.7 Release: 1%{?dist} Summary: Core git tools License: GPL diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.3.6/send-pack.c new/git-2.3.7/send-pack.c --- old/git-2.3.6/send-pack.c 2015-04-21 23:09:37.000000000 +0200 +++ new/git-2.3.7/send-pack.c 2015-04-27 21:29:33.000000000 +0200 @@ -281,6 +281,28 @@ return update_seen; } +#define NONCE_LEN_LIMIT 256 + +static void reject_invalid_nonce(const char *nonce, int len) +{ + int i = 0; + + if (NONCE_LEN_LIMIT <= len) + die("the receiving end asked to sign an invalid nonce <%.*s>", + len, nonce); + + for (i = 0; i < len; i++) { + int ch = nonce[i] & 0xFF; + if (isalnum(ch) || + ch == '-' || ch == '.' || + ch == '/' || ch == '+' || + ch == '=' || ch == '_') + continue; + die("the receiving end asked to sign an invalid nonce <%.*s>", + len, nonce); + } +} + int send_pack(struct send_pack_args *args, int fd[], struct child_process *conn, struct ref *remote_refs, @@ -323,6 +345,7 @@ push_cert_nonce = server_feature_value("push-cert", &len); if (!push_cert_nonce) die(_("the receiving end does not support --signed push")); + reject_invalid_nonce(push_cert_nonce, len); push_cert_nonce = xmemdupz(push_cert_nonce, len); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.3.6/t/t5500-fetch-pack.sh new/git-2.3.7/t/t5500-fetch-pack.sh --- old/git-2.3.6/t/t5500-fetch-pack.sh 2015-04-21 23:09:37.000000000 +0200 +++ new/git-2.3.7/t/t5500-fetch-pack.sh 2015-04-27 21:29:33.000000000 +0200 @@ -576,13 +576,16 @@ do for h in host user@host user@[::1] user@::1 do - test_expect_success "fetch-pack --diag-url $p://$h/$r" ' - check_prot_host_port_path $p://$h/$r $p "$h" NONE "/$r" - ' - # "/~" -> "~" conversion - test_expect_success "fetch-pack --diag-url $p://$h/~$r" ' - check_prot_host_port_path $p://$h/~$r $p "$h" NONE "~$r" - ' + for c in "" : + do + test_expect_success "fetch-pack --diag-url $p://$h$c/$r" ' + check_prot_host_port_path $p://$h/$r $p "$h" NONE "/$r" + ' + # "/~" -> "~" conversion + test_expect_success "fetch-pack --diag-url $p://$h$c/~$r" ' + check_prot_host_port_path $p://$h/~$r $p "$h" NONE "~$r" + ' + done done for h in host User@host User@[::1] do diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.3.6/t/t5601-clone.sh new/git-2.3.7/t/t5601-clone.sh --- old/git-2.3.6/t/t5601-clone.sh 2015-04-21 23:09:37.000000000 +0200 +++ new/git-2.3.7/t/t5601-clone.sh 2015-04-27 21:29:33.000000000 +0200 @@ -387,14 +387,17 @@ done #with ssh:// scheme -test_expect_success 'clone ssh://host.xz/home/user/repo' ' - test_clone_url "ssh://host.xz/home/user/repo" host.xz "/home/user/repo" -' - -# from home directory -test_expect_success 'clone ssh://host.xz/~repo' ' - test_clone_url "ssh://host.xz/~repo" host.xz "~repo" +#ignore trailing colon +for tcol in "" : +do + test_expect_success "clone ssh://host.xz$tcol/home/user/repo" ' + test_clone_url "ssh://host.xz$tcol/home/user/repo" host.xz /home/user/repo + ' + # from home directory + test_expect_success "clone ssh://host.xz$tcol/~repo" ' + test_clone_url "ssh://host.xz$tcol/~repo" host.xz "~repo" ' +done # with port number test_expect_success 'clone ssh://host.xz:22/home/user/repo' ' @@ -407,9 +410,9 @@ ' #IPv6 -for tuah in ::1 [::1] user@::1 user@[::1] [user@::1] +for tuah in ::1 [::1] [::1]: user@::1 user@[::1] user@[::1]: [user@::1] [user@::1]: do - ehost=$(echo $tuah | tr -d "[]") + ehost=$(echo $tuah | sed -e "s/1]:/1]/ "| tr -d "[]") test_expect_success "clone ssh://$tuah/home/user/repo" " test_clone_url ssh://$tuah/home/user/repo $ehost /home/user/repo " diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-2.3.6/version new/git-2.3.7/version --- old/git-2.3.6/version 2015-04-21 23:09:38.000000000 +0200 +++ new/git-2.3.7/version 2015-04-27 21:29:33.000000000 +0200 @@ -1 +1 @@ -2.3.6 +2.3.7
