Update dependency libgit2/libgit2 to v1.4.3
This MR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| libgit2/libgit2 | ironbank-github | minor |
v1.3.0 -> v1.4.3
|
Release Notes
libgit2/libgit2
v1.4.3
libgit2 is not directly affected by this vulnerability, because libgit2 does not directly invoke any executable. But we are providing these changes as a security release for any users that use libgit2 for repository discovery and then also use git on that repository. In this release, we will now validate that the user opening the repository is the same user that owns the on-disk repository. This is to match git's behavior.
In addition, we are providing several correctness fixes where invalid input can lead to a crash. These may prevent possible denial of service attacks. At this time there are not known exploits to these issues.
Full list of changes:
- Validate repository directory ownership (v1.4) by @ethomson in https://github.com/libgit2/libgit2/pull/6267
- midx: Fix an undefined behavior (left-shift signed overflow) by @lhchavez in https://github.com/libgit2/libgit2/pull/6260
- fetch: support OID refspec without dst by @ethomson in https://github.com/libgit2/libgit2/pull/6251
- Fix crash when regenerating a patch with unquoted spaces in filename by @jorio in https://github.com/libgit2/libgit2/pull/6244
All users of the v1.4 release line are recommended to upgrade.
Full Changelog: https://github.com/libgit2/libgit2/compare/v1.4.2...v1.4.3
v1.4.2
- remote: do store the update_tips callback error value by @carlosmn in https://github.com/libgit2/libgit2/pull/6226
- win32:
find_system_dirsdoes not returnGIT_ENOTFOUNDby @ethomson in https://github.com/libgit2/libgit2/pull/6228
All users of the v1.4 release line are recommended to upgrade.
v1.4.1
- xdiff: use xdl_free not free by @ethomson
- cmake: Fix package name for system http-parser by @mgorny
- Free parent and ref in lg2_commit before returning by @apnadkarni
All users of the v1.4 release line are recommended to upgrade.
Full Changelog: https://github.com/libgit2/libgit2/compare/v1.4.0...v1.4.1
v1.4.0
This is release v1.4.0, "Fisematenten". This release includes several new features and bugfixes, improves compatibility with git, and begins preparation for SHA256 support in a future release.
What's Changed
New features
- diff: update rename limit to 1000 to match git's behavior by @ethomson in https://github.com/libgit2/libgit2/pull/6092
- odb: support checking for object existence without refresh by @joshtriplett in https://github.com/libgit2/libgit2/pull/6107
- object: provide a low-level mechanism to validate whether a raw object is valid (
git_object_rawcontent_is_valid) by @ethomson in https://github.com/libgit2/libgit2/pull/6128 - blob: provide a function to identify binary content by @ethomson in https://github.com/libgit2/libgit2/pull/6142
- status: add
rename_thresholdtogit_status_options. by @arroz in https://github.com/libgit2/libgit2/pull/6158 - remote: support
http.followRedirects(falseandinitial) and follow initial redirects by default by @ethomson in https://github.com/libgit2/libgit2/pull/6175 - remote: support scp style paths with ports (
[git@github.com:22]:libgit2/libgit2) by @ethomson in https://github.com/libgit2/libgit2/pull/6167 - win32: update git for windows configuration file location compatibility by @csware in https://github.com/libgit2/libgit2/pull/6151 and @ethomson in https://github.com/libgit2/libgit2/pull/6180
- refs: speed up packed reference lookups when packed refs are sorted by @ccstolley in https://github.com/libgit2/libgit2/pull/6138
- merge: support zdiff3 conflict styles by @ethomson in https://github.com/libgit2/libgit2/pull/6195
- remote: support fetching by object id (using "+oid:ref" refspec syntax) by @ethomson in https://github.com/libgit2/libgit2/pull/6203
- merge: callers can specify virtual-base building behavior and to optionally accept conflict markers as a resolution by @boretrk in https://github.com/libgit2/libgit2/pull/6204
Deprecated APIs
-
git_index_checksumis deprecated; this information is now internal to the library and there is no replacement -
git_indexer_hashis deprecated; callers should usegit_indexer_nameto retrieve the filename -
git_packbuilder_hashis deprecated; callers should usegit_packbuilder_nameto retrieve the filename
ABI changes
-
git_fetch_optionsnow includes thefollow_redirectsvalue -
git_push_optionsnow includes thefollow_redirectsvalue -
git_status_optionsnow includes therename_thresholdvalue -
git_transportcontains several changed function pointer signatures
Bug fixes
- Fix a gcc 11 warning in src/threadstate.c by @lhchavez in https://github.com/libgit2/libgit2/pull/6115
- Fix a gcc 11 warning in src/thread.h by @lhchavez in https://github.com/libgit2/libgit2/pull/6116
- cmake: re-enable WinHTTP by @ethomson in https://github.com/libgit2/libgit2/pull/6120
- Fix repo init when template dir is non-existent by @ammgws in https://github.com/libgit2/libgit2/pull/6106
- cmake: use project-specific root variable instead of CMAKE_SOURCE_DIR by @Qix- in https://github.com/libgit2/libgit2/pull/6146
- Better revparse compatibility for at time notation by @yoichi in https://github.com/libgit2/libgit2/pull/6095
- remotes: fix insteadOf/pushInsteadOf handling by @mkhl in https://github.com/libgit2/libgit2/pull/6101
- git_commit_summary: ignore lines with spaces by @stforek in https://github.com/libgit2/libgit2/pull/6125
- Config parsing by @csware in https://github.com/libgit2/libgit2/pull/6124
- config: handle empty conditional in includeIf by @ethomson in https://github.com/libgit2/libgit2/pull/6165
- #6154 git_status_list_new case insensitive fix by @arroz in https://github.com/libgit2/libgit2/pull/6159
- futils_mktmp: don't use umask by @boretrk in https://github.com/libgit2/libgit2/pull/6178
- revparse: support bare '@' by @ethomson in https://github.com/libgit2/libgit2/pull/6196
- odb: check for write failures by @ethomson in https://github.com/libgit2/libgit2/pull/6206
- push: Prepare pack before sending pack header. by @ccstolley in https://github.com/libgit2/libgit2/pull/6205
- mktmp: improve our temp file creation by @ethomson in https://github.com/libgit2/libgit2/pull/6207
- diff_file: fix crash if size of diffed file changes in workdir by @jorio in https://github.com/libgit2/libgit2/pull/6208
- merge: comment conflicts lines in MERGE_MSG by @ethomson in https://github.com/libgit2/libgit2/pull/6197
- Fix crashes in example programs on Windows (sprintf_s not compatible with snprintf) by @apnadkarni in https://github.com/libgit2/libgit2/pull/6212
Code cleanups
- Introduce
git_remote_connect_optionsby @ethomson in https://github.com/libgit2/libgit2/pull/6161 - hash: separate hashes and git_oid by @ethomson in https://github.com/libgit2/libgit2/pull/6082
-
git_buf: now a public-only API (git_stris our internal API) by @ethomson in https://github.com/libgit2/libgit2/pull/6078 - cmake: cleanups and consistency by @ethomson in https://github.com/libgit2/libgit2/pull/6084
- path: refactor utility path functions by @ethomson in https://github.com/libgit2/libgit2/pull/6104
- str: git_str_free is never a function by @ethomson in https://github.com/libgit2/libgit2/pull/6111
- cmake refactorings by @ethomson in https://github.com/libgit2/libgit2/pull/6112
- Add missing-declarations warning globally by @ethomson in https://github.com/libgit2/libgit2/pull/6113
- cmake: further refactorings by @ethomson in https://github.com/libgit2/libgit2/pull/6114
- tag: set validity to 0 by default by @ethomson in https://github.com/libgit2/libgit2/pull/6119
- util: minor cleanup and refactoring to the date class by @ethomson in https://github.com/libgit2/libgit2/pull/6121
- Minor code cleanups by @ethomson in https://github.com/libgit2/libgit2/pull/6122
- Fix a long long that crept past by @NattyNarwhal in https://github.com/libgit2/libgit2/pull/6094
- remote: refactor insteadof application by @ethomson in https://github.com/libgit2/libgit2/pull/6147
- ntmlclient: fix linking with libressl by @boretrk in https://github.com/libgit2/libgit2/pull/6157
- c99: change single bit flags to unsigned by @boretrk in https://github.com/libgit2/libgit2/pull/6179
- Fix typos by @rex4539 in https://github.com/libgit2/libgit2/pull/6164
- diff_driver: split global_drivers array into separate elements by @boretrk in https://github.com/libgit2/libgit2/pull/6184
- cmake: disable some gnu extensions by @boretrk in https://github.com/libgit2/libgit2/pull/6185
- Disabling setting
CMAKE_FIND_LIBRARY_SUFFIXESon Apple platforms. by @arroz in https://github.com/libgit2/libgit2/pull/6153 - C90: add inline macro to xdiff and mbedtls by @boretrk in https://github.com/libgit2/libgit2/pull/6200
- SHA256: early preparation by @ethomson in https://github.com/libgit2/libgit2/pull/6192
CI improvements
- tests: rename test runner to
libgit2_tests, build option toBUILD_TESTS. by @ethomson in https://github.com/libgit2/libgit2/pull/6083 - ci: only update docs on push by @ethomson in https://github.com/libgit2/libgit2/pull/6108
- Pedantic header test by @boretrk in https://github.com/libgit2/libgit2/pull/6086
- ci: build with ssh on nightly by @ethomson in https://github.com/libgit2/libgit2/pull/6148
- ci: improve the name in CI runs by @ethomson in https://github.com/libgit2/libgit2/pull/6198
Documentation improvements
- Document that
git_odbis thread-safe by @joshtriplett in https://github.com/libgit2/libgit2/pull/6109 - Improve documentation by @punkymaniac in https://github.com/libgit2/libgit2/pull/6168
Other changes
- libgit2_clar is now libgit2_tests by @mkhl in https://github.com/libgit2/libgit2/pull/6100
- Remove PSGit from Language Bindings section of README by @cestrand in https://github.com/libgit2/libgit2/pull/6150
- COPYING: remove regex copyright, add PCRE copyright by @ethomson in https://github.com/libgit2/libgit2/pull/6187
- meta: add a release configuration file by @ethomson in https://github.com/libgit2/libgit2/pull/6211
New Contributors
- @mkhl made their first contribution in https://github.com/libgit2/libgit2/pull/6100
- @ammgws made their first contribution in https://github.com/libgit2/libgit2/pull/6106
- @yoichi made their first contribution in https://github.com/libgit2/libgit2/pull/6095
- @stforek made their first contribution in https://github.com/libgit2/libgit2/pull/6125
- @cestrand made their first contribution in https://github.com/libgit2/libgit2/pull/6150
- @rex4539 made their first contribution in https://github.com/libgit2/libgit2/pull/6164
- @jorio made their first contribution in https://github.com/libgit2/libgit2/pull/6208
Full Changelog: https://github.com/libgit2/libgit2/compare/v1.3.0...v1.4.0
v1.3.1
libgit2 is not directly affected by this vulnerability, because libgit2 does not directly invoke any executable. But we are providing these changes as a security release for any users that use libgit2 for repository discovery and then also use git on that repository. In this release, we will now validate that the user opening the repository is the same user that owns the on-disk repository. This is to match git's behavior.
In addition, we are providing several correctness fixes where invalid input can lead to a crash. These may prevent possible denial of service attacks. At this time there are not known exploits to these issues.
Full list of changes:
- Validate repository directory ownership (v1.3) by @ethomson in https://github.com/libgit2/libgit2/pull/6268
All users of the v1.3 release line are recommended to upgrade.
Configuration
-
If you want to rebase/retry this MR, click this checkbox.
This MR has been generated by Renovate Bot.