From 954711047fc45dc61f1a05a67c282a228ebb296f Mon Sep 17 00:00:00 2001 From: Peter Korsgaard Date: Wed, 22 Jan 2025 17:32:11 +0100 Subject: [PATCH] package/git: security bump to version 2.43.6 Fixes the following vulnerabilities: - CVE-2024-50349: Printing unsanitized URLs when asking for credentials made the user susceptible to crafted URLs (e.g. in recursive clones) that mislead the user into typing in passwords for trusted sites that would then be sent to untrusted sites instead. - CVE-2024-52006 Git may pass on Carriage Returns via the credential protocol to credential helpers which use line-reading functions that interpret said Carriage Returns as line endings, even though Git did not intend that. For more details, see the announcement: https://lore.kernel.org/git/xmqq5xmh46oc.fsf@gitster.g/ Signed-off-by: Peter Korsgaard --- package/git/git.hash | 2 +- package/git/git.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package/git/git.hash b/package/git/git.hash index 9b8c8eeceb..1560b599d9 100644 --- a/package/git/git.hash +++ b/package/git/git.hash @@ -1,5 +1,5 @@ # From: https://www.kernel.org/pub/software/scm/git/sha256sums.asc -sha256 8b7cc3db84c5c6a2eeb39c63686ff5cde26278e32bb0d2226a8b424488420b98 git-2.43.5.tar.xz +sha256 25f329439ebcc8a6fe160a5600499f6a179c784d8efa4d50d54e5d77a4d13a62 git-2.43.6.tar.xz # Locally calculated sha256 5b2198d1645f767585e8a88ac0499b04472164c0d2da22e75ecf97ef443ab32e COPYING sha256 1922f45d2c49e390032c9c0ba6d7cac904087f7cec51af30c2b2ad022ce0e76a LGPL-2.1 diff --git a/package/git/git.mk b/package/git/git.mk index 01933a96b2..56c994e3a8 100644 --- a/package/git/git.mk +++ b/package/git/git.mk @@ -4,7 +4,7 @@ # ################################################################################ -GIT_VERSION = 2.43.5 +GIT_VERSION = 2.43.6 GIT_SOURCE = git-$(GIT_VERSION).tar.xz GIT_SITE = $(BR2_KERNEL_MIRROR)/software/scm/git GIT_LICENSE = GPL-2.0, LGPL-2.1+