Incoming details.
whissi: ACK; will commit & bump as soon as upstream releases the official tarballs at the end of the embargo. It would be nice if upstream would include new distfile checksums beyond just the git bundles like this.
Git v2.30.2 Release Notes ========================= This release merges up the fixes that appear in v2.17.6, v2.18.5, v2.19.6, v2.20.5, v2.21.4, v2.22.5, v2.23.4, v2.24.4, v2.25.5, v2.26.3, v2.27.1, v2.28.1 and v2.29.3 to address the security issue CVE-2021-21300; see the release notes for these versions for details. ---------------------------------------------------------------- Git v2.17.6 Release Notes ========================= This release addresses the security issues CVE-2021-21300. Fixes since v2.17.5 ------------------- * CVE-2021-21300: On case-insensitive file systems with support for symbolic links, if Git is configured globally to apply delay-capable clean/smudge filters (such as Git LFS), Git could be fooled into running remote code during a clone. Credit for finding and fixing this vulnerability goes to Matheus Tavares, helped by Johannes Schindelin. _______________________________________________
Please stabilize when ready. commit 20cc50422bc11625049fac616f872123ab9d5d1d Author: Robin H. Johnson <robbat2@gentoo.org> Date: Tue Mar 9 12:04:38 2021 -0800 dev-vcs/git: security bump for CVE-2021-21300 Signed-off-by: Robin H. Johnson <robbat2@gentoo.org> create mode 100644 dev-vcs/git/git-2.26.3.ebuild create mode 100644 dev-vcs/git/git-2.28.1.ebuild create mode 100644 dev-vcs/git/git-2.29.3.ebuild create mode 100644 dev-vcs/git/git-2.30.2.ebuild
ping.
amd64 stable
sparc stable
ppc64 done
ppc done
hppa stable
x86 done
arm64 done
s390 stable
arm done all arches done
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bbc7e5e980dae214ffdb49ff6cc593b226b21cec commit bbc7e5e980dae214ffdb49ff6cc593b226b21cec Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2021-04-30 22:17:49 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2021-04-30 22:17:49 +0000 dev-vcs/git: security cleanup Bug: https://bugs.gentoo.org/774678 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-vcs/git/Manifest | 3 - dev-vcs/git/git-2.26.2.ebuild | 714 ------------------------------------------ 2 files changed, 717 deletions(-)
New GLSA request filed.
This issue was resolved and addressed in GLSA 202104-01 at https://security.gentoo.org/glsa/202104-01 by GLSA coordinator Thomas Deutschmann (whissi).