[ubuntu/trusty-updates] git 1:1.9.1-1ubuntu0.8 (Accepted)

[Ubuntu Archive Robot]

git (1:1.9.1-1ubuntu0.8) trusty-security; urgency=medium

  * SECURITY UPDATE: arbitrary code execution via
    submodule names in .gitsubmodules.
    - 0005-submodule-config-verify-submodule-names-as-paths.patch
    - 0018-fsck-simplify-.git-check.patch
    - 0020-fsck-actually-fsck-blob-data.patch
    - 0025-fsck-detect-gitmodules-files.patch
    - 0026-fsck-check-.gitmodules-content.patch
    - 0027-fsck-call-fsck_finish-after-fscking-objects.patch
    - 0028-unpack-objects-call-fsck_finish-after-fscking-objects.patch
    - 0029-index-pack-check-.gitmodules-files-with-strict.patch
    - CVE-2018-11235 (LP: #1774061)
  * SECURITY UPDATE: out-of-bounds memory access when sanity-checking
    pathnames on NTFS
    - 0006-is_ntfs_dotgit-use-a-size_t-for-traversing-string.patch
    - CVE-2018-11233
  * Do not allow .gitmodules to be a symlink:
  * debian/rules: ensure added tests are executable.
    - 0001-apply-reject-input-that-touches-outside-the-working-a.patch
    - 0002-apply-do-not-read-from-the-filesystem-under-index.patch
    - 0003-apply-do-not-read-from-beyond-a-symbolic-link.patch
    - 0004-apply-do-not-touch-a-file-beyond-a-symbolic-link.patch
    - 0007-is_hfs_dotgit-match-other-.git-files.patch
    - 0008-is_ntfs_dotgit-match-other-.git-files.patch
    - 0009-skip_prefix-add-case-insensitive-variant.patch
    - 0010-verify_path-drop-clever-fallthrough.patch
    - 0011-verify_dotfile-mention-case-insensitivity-in-comment.patch
    - 0012-update-index-stat-updated-files-earlier.patch
    - 0013-verify_path-disallow-symlinks-in-.gitmodules.patch
    - 0014-sha1_file-add-read_loose_object-function.patch
    - 0015-fsck-drop-inode-sorting-code.patch
    - 0016-fsck-parse-loose-object-paths-directly.patch
    - 0017-index-pack-make-fsck-error-message-more-specific.patch
    - 0019-fsck_object-allow-passing-object-data-separately-from.patch
    - 0021-add-a-hashtable-implementation-that-supports-O-1-rem.patch
    - 0022-hashmap.h-use-unsigned-int-for-hash-codes-everywhere.patch
    - 0023-hashmap-factor-out-getting-a-hash-code-from-a-SHA1.patch
    - 0024-hashmap-add-simplified-hashmap_get_from_hash-API.patch
    - 0030-fsck-complain-when-.gitmodules-is-a-symlink.patch
  * move patches from debian/diff to quilt debian/patch/, to avoid
    conflicts and overlooking already added patches
  * Thanks to Jonathan Nieder <jrnie...@gmail.com> of Debian for
    backporting to 2.1.x.

Date: 2018-06-05 06:05:13.493291+00:00
Changed-By: Steve Beattie <sbeat...@ubuntu.com>
Signed-By: Ubuntu Archive Robot 
<cjwatson+ubuntu-archive-ro...@chiark.greenend.org.uk>
https://launchpad.net/ubuntu/+source/git/1:1.9.1-1ubuntu0.8

Sorry, changesfile not available.
-- 
Trusty-changes mailing list
Trusty-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/trusty-changes