diff options
author | Pedro Alvarez <pedro.alvarez@codethink.co.uk> | 2016-03-16 11:32:54 +0000 |
---|---|---|
committer | Sam Thursfield <sam.thursfield@codethink.co.uk> | 2016-03-16 11:41:34 +0000 |
commit | 23f354034df7c6d2652bca285047d29f5abef560 (patch) | |
tree | 9688cf71a7a6214f5f1ebe039a0ef6fc83891273 | |
parent | aa2fd0f9bf293b55f01168598d1b4ae98fe4cbb5 (diff) | |
download | definitions-23f354034df7c6d2652bca285047d29f5abef560.tar.gz |
Upgrade to Git 2.8.0-rc2
This contains commit 9831e92bfa833ee9c0ce464bbc2f941ae6c2698d which
removes the path_name() function. That fixes a remote-code execution
security hole, described in CVE-2016-2315 and CVE-2016-2324.
I have read in some places that 2.7.1 and later are not vulnerable,
but I've not been able to prove that, nor find proof. At time of writing
the Debian advisory doesn't show that 2.7.1 and later are safe, only
2.8.0-rc2:
https://security-tracker.debian.org/tracker/CVE-2016-2324
See also:
https://ma.ttias.be/remote-code-execution-git-versions-client-server-2-7-1-cve-2016-2324-cve-2016-2315/
Change-Id: I8948b295030f2f498780777aa62a54f2337518b5
-rw-r--r-- | strata/core.morph | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/strata/core.morph b/strata/core.morph index 1148ecfb..5304f50a 100644 --- a/strata/core.morph +++ b/strata/core.morph @@ -161,8 +161,8 @@ chunks: - name: git-minimal morph: strata/core/git-minimal.morph repo: upstream:git - ref: 9874fca7122563e28d699a911404fc49d2a24f1c - unpetrify-ref: v2.3.0 + ref: ed9067f705aa51819c7dfff7e4190dd267beaf5d + unpetrify-ref: v2.8.0-rc2 build-depends: - autoconf - python3 |