UNCLASSIFIED - NO CUI

Skip to content

Update dependency libgit2/libgit2 to v1.4.4

renovate requested to merge renovate/libgit2-libgit2-1.x into development

This MR contains the following updates:

Package Type Update Change
libgit2/libgit2 ironbank-github minor v1.3.0 -> v1.4.4

Release Notes

libgit2/libgit2

v1.4.4

Compare Source

🔒 This is a security release with multiple changes.

  • This provides compatibility with git's changes to address CVE 2022-29187. As a follow up to CVE 2022-24765, now not only is the working directory of a non-bare repository examined for its ownership, but the .git directory and the .git file (if present) are also examined for their ownership.

  • A fix for compatibility with git's (new) behavior for CVE 2022-24765 allows users on POSIX systems to access a git repository that is owned by them when they are running in sudo.

  • A fix for further compatibility with git's (existing) behavior for CVE 2022-24765 allows users on Windows to access a git repository that is owned by the Administrator when running with escalated privileges (using runas Administrator).

  • The bundled zlib is updated to v1.2.12, as prior versions had memory corruption bugs. It is not known that there is a security vulnerability in libgit2 based on these bugs, but we are updating to be cautious.

All users of the v1.4 release line are recommended to upgrade.

v1.4.3

Compare Source

🔒 This is a security release to provide compatibility with git's changes to address CVE 2022-24765.

libgit2 is not directly affected by this vulnerability, because libgit2 does not directly invoke any executable. But we are providing these changes as a security release for any users that use libgit2 for repository discovery and then also use git on that repository. In this release, we will now validate that the user opening the repository is the same user that owns the on-disk repository. This is to match git's behavior.

In addition, we are providing several correctness fixes where invalid input can lead to a crash. These may prevent possible denial of service attacks. At this time there are not known exploits to these issues.

Full list of changes:

All users of the v1.4 release line are recommended to upgrade.

Full Changelog: https://github.com/libgit2/libgit2/compare/v1.4.2...v1.4.3

v1.4.2

Compare Source

🐞 This is a bugfix release with the following changes:

All users of the v1.4 release line are recommended to upgrade.

v1.4.1

Compare Source

🐞 This is a bugfix release with the following changes:

All users of the v1.4 release line are recommended to upgrade.

Full Changelog: https://github.com/libgit2/libgit2/compare/v1.4.0...v1.4.1

v1.4.0

Compare Source

This is release v1.4.0, "Fisematenten". This release includes several new features and bugfixes, improves compatibility with git, and begins preparation for SHA256 support in a future release.

What's Changed

New features
Deprecated APIs
  • git_index_checksum is deprecated; this information is now internal to the library and there is no replacement
  • git_indexer_hash is deprecated; callers should use git_indexer_name to retrieve the filename
  • git_packbuilder_hash is deprecated; callers should use git_packbuilder_name to retrieve the filename
ABI changes
  • git_fetch_options now includes the follow_redirects value
  • git_push_options now includes the follow_redirects value
  • git_status_options now includes the rename_threshold value
  • git_transport contains several changed function pointer signatures
Bug fixes
Code cleanups
CI improvements
Documentation improvements
Other changes

New Contributors

Full Changelog: https://github.com/libgit2/libgit2/compare/v1.3.0...v1.4.0

v1.3.2

Compare Source

🔒 This is a security release with multiple changes.

  • This provides compatibility with git's changes to address CVE 2022-29187. As a follow up to CVE 2022-24765, now not only is the working directory of a non-bare repository examined for its ownership, but the .git directory and the .git file (if present) are also examined for their ownership.

  • A fix for compatibility with git's (new) behavior for CVE 2022-24765 allows users on POSIX systems to access a git repository that is owned by them when they are running in sudo.

  • A fix for further compatibility with git's (existing) behavior for CVE 2022-24765 allows users on Windows to access a git repository that is owned by the Administrator when running with escalated privileges (using runas Administrator).

  • The bundled zlib is updated to v1.2.12, as prior versions had memory corruption bugs. It is not known that there is a security vulnerability in libgit2 based on these bugs, but we are updating to be cautious.

All users of the v1.3 release line are recommended to upgrade.

v1.3.1

Compare Source

🔒 This is a security release to provide compatibility with git's changes to address CVE 2022-24765.

libgit2 is not directly affected by this vulnerability, because libgit2 does not directly invoke any executable. But we are providing these changes as a security release for any users that use libgit2 for repository discovery and then also use git on that repository. In this release, we will now validate that the user opening the repository is the same user that owns the on-disk repository. This is to match git's behavior.

In addition, we are providing several correctness fixes where invalid input can lead to a crash. These may prevent possible denial of service attacks. At this time there are not known exploits to these issues.

Full list of changes:

All users of the v1.3 release line are recommended to upgrade.

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

  • If you want to rebase/retry this MR, click this checkbox.

This MR has been generated by Renovate Bot.

Merge request reports

UNCLASSIFIED - NO CUI