Update dependency libgit2/libgit2 to v1.5.0 (!62) · Merge requests · Iron Bank Containers / fluxcd / image-automation-controller

renovate requested to merge renovate/libgit2-libgit2-1.x into development Jul 14, 2022

This MR contains the following updates:

Package	Type	Update	Change
libgit2/libgit2	ironbank-github	minor	`v1.3.0` -> `v1.5.0`

Release Notes

libgit2/libgit2

`v1.5.0`

Compare Source

This is release v1.5.0, "Stubentiger". This release adds the basis for an experimental CLI, continues preparing for SHA256 support, adds a benchmarking utility, and has numerous new features and bugfixes.

What's Changed

New features

The beginnings of a git-compatible CLI for testing and benchmarking by @ethomson in https://github.com/libgit2/libgit2/pull/6133
Add clone support to the CLI @ethomson in https://github.com/libgit2/libgit2/pull/6274
A benchmarking suite to compare libgit2 functionality against git by @ethomson in https://github.com/libgit2/libgit2/pull/6235
SHA256: add a SHA256 implementation backend by @ethomson in https://github.com/libgit2/libgit2/pull/6144
SHA256: support dynamically loaded openssl by @ethomson in https://github.com/libgit2/libgit2/pull/6258
Transport: introduce git_transport_smart_remote_connect_options by @lhchavez in https://github.com/libgit2/libgit2/pull/6278

Bug fixes

Free parent and ref in lg2_commit before returning. by @apnadkarni in https://github.com/libgit2/libgit2/pull/6219
xdiff: use xdl_free not free by @ethomson in https://github.com/libgit2/libgit2/pull/6223
remote: do store the update_tips callback error value by @carlosmn in https://github.com/libgit2/libgit2/pull/6226
win32: find_system_dirs does not return GIT_ENOTFOUND by @ethomson in https://github.com/libgit2/libgit2/pull/6228
Some minor fixes for issues discovered by coverity by @ethomson in https://github.com/libgit2/libgit2/pull/6238
Fix a string concatenation bug when validating extensions by @bierbaum in https://github.com/libgit2/libgit2/pull/6246
fetch: support OID refspec without dst by @ethomson in https://github.com/libgit2/libgit2/pull/6251
Fix crash when regenerating a patch with unquoted spaces in filename by @jorio in https://github.com/libgit2/libgit2/pull/6244
midx: Fix an undefined behavior (left-shift signed overflow) by @lhchavez in https://github.com/libgit2/libgit2/pull/6260
Validate repository directory ownership by @ethomson in https://github.com/libgit2/libgit2/pull/6266
midx: fix large offset table check. by @ccstolley in https://github.com/libgit2/libgit2/pull/6309
midx: do not verify the checksum on load by @carlosmn in https://github.com/libgit2/libgit2/pull/6291
revparse: Remove error-prone, redundant test by @dongcarl in https://github.com/libgit2/libgit2/pull/6299
refs: fix missing error message by @zawata in https://github.com/libgit2/libgit2/pull/6305
CLI: progress updates by @ethomson in https://github.com/libgit2/libgit2/pull/6319
A couple of simplications around mwindow by @carlosmn in https://github.com/libgit2/libgit2/pull/6288
config: update config entry iteration lifecycle by @ethomson in https://github.com/libgit2/libgit2/pull/6320
repo: allow administrator to own the configuration by @ethomson in https://github.com/libgit2/libgit2/pull/6321
filter: Fix Segfault by @zawata in https://github.com/libgit2/libgit2/pull/6303
ntlmclient: LibreSSL 3.5 removed HMAC_CTX_cleanup by @vishwin in https://github.com/libgit2/libgit2/pull/6340
Fix internal git_sysdir_find* function usage within public git_config_find* functions by @kcsaul in https://github.com/libgit2/libgit2/pull/6335
fix interactive rebase detect. by @i-tengfei in https://github.com/libgit2/libgit2/pull/6334
cmake: drop posix dependency from pcre* detection by @jpalus in https://github.com/libgit2/libgit2/pull/6333
Fix erroneously lax configuration ownership checks by @ethomson in https://github.com/libgit2/libgit2/pull/6341
pack: don't pretend we support pack files v3 by @ethomson in https://github.com/libgit2/libgit2/pull/6347
Fix creation of branches and tags with invalid names by @lya001 in https://github.com/libgit2/libgit2/pull/6348

🔒 This is a security release with multiple changes.

This provides compatibility with git's changes to address CVE 2022-29187. As a follow up to CVE 2022-24765, now not only is the working directory of a non-bare repository examined for its ownership, but the .git directory and the .git file (if present) are also examined for their ownership.
A fix for compatibility with git's (new) behavior for CVE 2022-24765 allows users on POSIX systems to access a git repository that is owned by them when they are running in sudo.
A fix for further compatibility with git's (existing) behavior for CVE 2022-24765 allows users on Windows to access a git repository that is owned by the Administrator when running with escalated privileges (using runas Administrator).
The bundled zlib is updated to v1.2.12, as prior versions had memory corruption bugs. It is not known that there is a security vulnerability in libgit2 based on these bugs, but we are updating to be cautious.

All users of the v1.4 release line are recommended to upgrade.

`v1.4.3`

Compare Source

🔒 This is a security release to provide compatibility with git's changes to address CVE 2022-24765.

libgit2 is not directly affected by this vulnerability, because libgit2 does not directly invoke any executable. But we are providing these changes as a security release for any users that use libgit2 for repository discovery and then also use git on that repository. In this release, we will now validate that the user opening the repository is the same user that owns the on-disk repository. This is to match git's behavior.

In addition, we are providing several correctness fixes where invalid input can lead to a crash. These may prevent possible denial of service attacks. At this time there are not known exploits to these issues.

Full list of changes:

Validate repository directory ownership (v1.4) by @ethomson in https://github.com/libgit2/libgit2/pull/6267
midx: Fix an undefined behavior (left-shift signed overflow) by @lhchavez in https://github.com/libgit2/libgit2/pull/6260
fetch: support OID refspec without dst by @ethomson in https://github.com/libgit2/libgit2/pull/6251
Fix crash when regenerating a patch with unquoted spaces in filename by @jorio in https://github.com/libgit2/libgit2/pull/6244

All users of the v1.4 release line are recommended to upgrade.

Full Changelog: https://github.com/libgit2/libgit2/compare/v1.4.2...v1.4.3

`v1.4.2`

Compare Source

🐞 This is a bugfix release with the following changes:

remote: do store the update_tips callback error value by @carlosmn in https://github.com/libgit2/libgit2/pull/6226
win32: find_system_dirs does not return GIT_ENOTFOUND by @ethomson in https://github.com/libgit2/libgit2/pull/6228

All users of the v1.4 release line are recommended to upgrade.

`v1.4.1`

Compare Source

🐞 This is a bugfix release with the following changes:

All users of the v1.4 release line are recommended to upgrade.

Full Changelog: https://github.com/libgit2/libgit2/compare/v1.4.0...v1.4.1

`v1.4.0`

Compare Source

This is release v1.4.0, "Fisematenten". This release includes several new features and bugfixes, improves compatibility with git, and begins preparation for SHA256 support in a future release.

What's Changed

New features

diff: update rename limit to 1000 to match git's behavior by @ethomson in https://github.com/libgit2/libgit2/pull/6092
odb: support checking for object existence without refresh by @joshtriplett in https://github.com/libgit2/libgit2/pull/6107
object: provide a low-level mechanism to validate whether a raw object is valid (git_object_rawcontent_is_valid) by @ethomson in https://github.com/libgit2/libgit2/pull/6128
blob: provide a function to identify binary content by @ethomson in https://github.com/libgit2/libgit2/pull/6142
status: add rename_threshold to git_status_options. by @arroz in https://github.com/libgit2/libgit2/pull/6158
remote: support http.followRedirects (false and initial) and follow initial redirects by default by @ethomson in https://github.com/libgit2/libgit2/pull/6175
remote: support scp style paths with ports ([git@github.com:22]:libgit2/libgit2) by @ethomson in https://github.com/libgit2/libgit2/pull/6167
win32: update git for windows configuration file location compatibility by @csware in https://github.com/libgit2/libgit2/pull/6151 and @ethomson in https://github.com/libgit2/libgit2/pull/6180
refs: speed up packed reference lookups when packed refs are sorted by @ccstolley in https://github.com/libgit2/libgit2/pull/6138
merge: support zdiff3 conflict styles by @ethomson in https://github.com/libgit2/libgit2/pull/6195
remote: support fetching by object id (using "+oid:ref" refspec syntax) by @ethomson in https://github.com/libgit2/libgit2/pull/6203
merge: callers can specify virtual-base building behavior and to optionally accept conflict markers as a resolution by @boretrk in https://github.com/libgit2/libgit2/pull/6204

Deprecated APIs

git_index_checksum is deprecated; this information is now internal to the library and there is no replacement
git_indexer_hash is deprecated; callers should use git_indexer_name to retrieve the filename
git_packbuilder_hash is deprecated; callers should use git_packbuilder_name to retrieve the filename

ABI changes

git_fetch_options now includes the follow_redirects value
git_push_options now includes the follow_redirects value
git_status_options now includes the rename_threshold value
git_transport contains several changed function pointer signatures

Bug fixes

Fix a gcc 11 warning in src/threadstate.c by @lhchavez in https://github.com/libgit2/libgit2/pull/6115
Fix a gcc 11 warning in src/thread.h by @lhchavez in https://github.com/libgit2/libgit2/pull/6116
cmake: re-enable WinHTTP by @ethomson in https://github.com/libgit2/libgit2/pull/6120
Fix repo init when template dir is non-existent by @ammgws in https://github.com/libgit2/libgit2/pull/6106
cmake: use project-specific root variable instead of CMAKE_SOURCE_DIR by @Qix- in https://github.com/libgit2/libgit2/pull/6146
Better revparse compatibility for at time notation by @yoichi in https://github.com/libgit2/libgit2/pull/6095
remotes: fix insteadOf/pushInsteadOf handling by @mkhl in https://github.com/libgit2/libgit2/pull/6101
git_commit_summary: ignore lines with spaces by @stforek in https://github.com/libgit2/libgit2/pull/6125
Config parsing by @csware in https://github.com/libgit2/libgit2/pull/6124
config: handle empty conditional in includeIf by @ethomson in https://github.com/libgit2/libgit2/pull/6165
#6154 git_status_list_new case insensitive fix by @arroz in https://github.com/libgit2/libgit2/pull/6159
futils_mktmp: don't use umask by @boretrk in https://github.com/libgit2/libgit2/pull/6178
revparse: support bare '@' by @ethomson in https://github.com/libgit2/libgit2/pull/6196
odb: check for write failures by @ethomson in https://github.com/libgit2/libgit2/pull/6206
push: Prepare pack before sending pack header. by @ccstolley in https://github.com/libgit2/libgit2/pull/6205
mktmp: improve our temp file creation by @ethomson in https://github.com/libgit2/libgit2/pull/6207
diff_file: fix crash if size of diffed file changes in workdir by @jorio in https://github.com/libgit2/libgit2/pull/6208
merge: comment conflicts lines in MERGE_MSG by @ethomson in https://github.com/libgit2/libgit2/pull/6197
Fix crashes in example programs on Windows (sprintf_s not compatible with snprintf) by @apnadkarni in https://github.com/libgit2/libgit2/pull/6212

Code cleanups

Introduce git_remote_connect_options by @ethomson in https://github.com/libgit2/libgit2/pull/6161
hash: separate hashes and git_oid by @ethomson in https://github.com/libgit2/libgit2/pull/6082
git_buf: now a public-only API (git_str is our internal API) by @ethomson in https://github.com/libgit2/libgit2/pull/6078
cmake: cleanups and consistency by @ethomson in https://github.com/libgit2/libgit2/pull/6084
path: refactor utility path functions by @ethomson in https://github.com/libgit2/libgit2/pull/6104
str: git_str_free is never a function by @ethomson in https://github.com/libgit2/libgit2/pull/6111
cmake refactorings by @ethomson in https://github.com/libgit2/libgit2/pull/6112
Add missing-declarations warning globally by @ethomson in https://github.com/libgit2/libgit2/pull/6113
cmake: further refactorings by @ethomson in https://github.com/libgit2/libgit2/pull/6114
tag: set validity to 0 by default by @ethomson in https://github.com/libgit2/libgit2/pull/6119
util: minor cleanup and refactoring to the date class by @ethomson in https://github.com/libgit2/libgit2/pull/6121
Minor code cleanups by @ethomson in https://github.com/libgit2/libgit2/pull/6122
Fix a long long that crept past by @NattyNarwhal in https://github.com/libgit2/libgit2/pull/6094
remote: refactor insteadof application by @ethomson in https://github.com/libgit2/libgit2/pull/6147
ntmlclient: fix linking with libressl by @boretrk in https://github.com/libgit2/libgit2/pull/6157
c99: change single bit flags to unsigned by @boretrk in https://github.com/libgit2/libgit2/pull/6179
Fix typos by @rex4539 in https://github.com/libgit2/libgit2/pull/6164
diff_driver: split global_drivers array into separate elements by @boretrk in https://github.com/libgit2/libgit2/pull/6184
cmake: disable some gnu extensions by @boretrk in https://github.com/libgit2/libgit2/pull/6185
Disabling setting CMAKE_FIND_LIBRARY_SUFFIXES on Apple platforms. by @arroz in https://github.com/libgit2/libgit2/pull/6153
C90: add inline macro to xdiff and mbedtls by @boretrk in https://github.com/libgit2/libgit2/pull/6200
SHA256: early preparation by @ethomson in https://github.com/libgit2/libgit2/pull/6192

CI improvements

tests: rename test runner to libgit2_tests, build option to BUILD_TESTS. by @ethomson in https://github.com/libgit2/libgit2/pull/6083
ci: only update docs on push by @ethomson in https://github.com/libgit2/libgit2/pull/6108
Pedantic header test by @boretrk in https://github.com/libgit2/libgit2/pull/6086
ci: build with ssh on nightly by @ethomson in https://github.com/libgit2/libgit2/pull/6148
ci: improve the name in CI runs by @ethomson in https://github.com/libgit2/libgit2/pull/6198

Documentation improvements

Document that git_odb is thread-safe by @joshtriplett in https://github.com/libgit2/libgit2/pull/6109
Improve documentation by @punkymaniac in https://github.com/libgit2/libgit2/pull/6168

Other changes

libgit2_clar is now libgit2_tests by @mkhl in https://github.com/libgit2/libgit2/pull/6100
Remove PSGit from Language Bindings section of README by @cestrand in https://github.com/libgit2/libgit2/pull/6150
COPYING: remove regex copyright, add PCRE copyright by @ethomson in https://github.com/libgit2/libgit2/pull/6187
meta: add a release configuration file by @ethomson in https://github.com/libgit2/libgit2/pull/6211

New Contributors

@mkhl made their first contribution in https://github.com/libgit2/libgit2/pull/6100
@ammgws made their first contribution in https://github.com/libgit2/libgit2/pull/6106
@yoichi made their first contribution in https://github.com/libgit2/libgit2/pull/6095
@stforek made their first contribution in https://github.com/libgit2/libgit2/pull/6125
@cestrand made their first contribution in https://github.com/libgit2/libgit2/pull/6150
@rex4539 made their first contribution in https://github.com/libgit2/libgit2/pull/6164
@jorio made their first contribution in https://github.com/libgit2/libgit2/pull/6208

Full Changelog: https://github.com/libgit2/libgit2/compare/v1.3.0...v1.4.0

`v1.3.2`

Compare Source

🔒 This is a security release with multiple changes.

This provides compatibility with git's changes to address CVE 2022-29187. As a follow up to CVE 2022-24765, now not only is the working directory of a non-bare repository examined for its ownership, but the .git directory and the .git file (if present) are also examined for their ownership.
A fix for compatibility with git's (new) behavior for CVE 2022-24765 allows users on POSIX systems to access a git repository that is owned by them when they are running in sudo.
A fix for further compatibility with git's (existing) behavior for CVE 2022-24765 allows users on Windows to access a git repository that is owned by the Administrator when running with escalated privileges (using runas Administrator).
The bundled zlib is updated to v1.2.12, as prior versions had memory corruption bugs. It is not known that there is a security vulnerability in libgit2 based on these bugs, but we are updating to be cautious.

All users of the v1.3 release line are recommended to upgrade.

`v1.3.1`

Compare Source

🔒 This is a security release to provide compatibility with git's changes to address CVE 2022-24765.

Full list of changes:

Validate repository directory ownership (v1.3) by @ethomson in https://github.com/libgit2/libgit2/pull/6268

All users of the v1.3 release line are recommended to upgrade.

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

If you want to rebase/retry this MR, click this checkbox.

This MR has been generated by Renovate Bot.

Update dependency libgit2/libgit2 to v1.5.0

Release Notes

What's Changed

New features

Bug fixes

Security fixes

Code cleanups

Build and CI improvements

Documentation improvements

New Contributors

What's Changed

New features

Deprecated APIs

ABI changes

Bug fixes

Code cleanups

CI improvements

Documentation improvements

Other changes

New Contributors

Configuration

Merge request reports