From 23f354034df7c6d2652bca285047d29f5abef560 Mon Sep 17 00:00:00 2001
From: Pedro Alvarez <pedro.alvarez@codethink.co.uk>
Date: Wed, 16 Mar 2016 11:32:54 +0000
Subject: Upgrade to Git 2.8.0-rc2

This contains commit 9831e92bfa833ee9c0ce464bbc2f941ae6c2698d which
removes the path_name() function. That fixes a remote-code execution
security hole, described in CVE-2016-2315 and CVE-2016-2324.

I have read in some places that 2.7.1 and later are not vulnerable,
but I've not been able to prove that, nor find proof. At time of writing
the Debian advisory doesn't show that 2.7.1 and later are safe, only
2.8.0-rc2:

  https://security-tracker.debian.org/tracker/CVE-2016-2324

See also:

  https://ma.ttias.be/remote-code-execution-git-versions-client-server-2-7-1-cve-2016-2324-cve-2016-2315/

Change-Id: I8948b295030f2f498780777aa62a54f2337518b5
---
 strata/core.morph | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/strata/core.morph b/strata/core.morph
index 1148ecfb..5304f50a 100644
--- a/strata/core.morph
+++ b/strata/core.morph
@@ -161,8 +161,8 @@ chunks:
 - name: git-minimal
   morph: strata/core/git-minimal.morph
   repo: upstream:git
-  ref: 9874fca7122563e28d699a911404fc49d2a24f1c
-  unpetrify-ref: v2.3.0
+  ref: ed9067f705aa51819c7dfff7e4190dd267beaf5d
+  unpetrify-ref: v2.8.0-rc2
   build-depends:
   - autoconf
   - python3
-- 
cgit v1.2.1