Package "git-cvs"

  git (1:2.34.1-1ubuntu1.16) jammy-security; urgency=medium

  * SECURITY REGRESSION: Broken safe.directory access from CVE-2022-24765
    (LP: #2142239)
    - debian/patches/CVE-2022-24765-fix1.patch: Add protected_config,
      read_protected_config, and git_protected_config in config.c, config.h.
      Add upload_pack_protected_config in upload-pack.c. Modify test in
      t/t5544-pack-objects-hook.sh.
    - debian/patches/CVE-2022-24765-fix2.patch: Replace read_very_early_config
      with git_protected_config in setup.c.

 -- Hlib Korzhynskyy <email address hidden> Thu, 19 Feb 2026 15:15:50 -0330

  git (1:2.34.1-1ubuntu1.15) jammy-security; urgency=medium

  * SECURITY REGRESSION: Breakage when using gitk and git gui. (LP: #2116251)
    - debian/patches/CVE-2025-27613.patch: Added back.
    - debian/patches/CVE-2025-27613-post1.patch: Change usage of
      safe_open_command_redirect to safe_open_command in some commands in
      gitk-git/gitk.
    - debian/patches/CVE-2025-46835-pre1.patch: Added back.
    - debian/patches/CVE-2025-46835.patch: Added back.
    - debian/patches/CVE-2025-46835-post1: Change git_read to safe_open_command
      in git-gui/git-gui.sh.

 -- Hlib Korzhynskyy <email address hidden> Wed, 09 Jul 2025 17:16:10 -0230

  git (1:2.34.1-1ubuntu1.14) jammy-security; urgency=medium

  * SECURITY REGRESSION: Revert gitk and git gui fixes pending further
    investigation. (LP: #2116251)
    - debian/patches/CVE-2025-27613.patch: Reverted.
    - debian/patches/CVE-2025-46835-pre1.patch: Reverted.
    - debian/patches/CVE-2025-46835.patch: Reverted.

 -- Hlib Korzhynskyy <email address hidden> Wed, 09 Jul 2025 10:08:11 -0230

  git (1:2.34.1-1ubuntu1.13) jammy-security; urgency=medium

  * SECURITY UPDATE: Code execution and file manipulation when cloning
    malicious repositories.
    - debian/patches/CVE-2025-27613.patch: Add argument sanitizing and replace
      command instances with safe versions in gitk-git/gitk.
    - CVE-2025-27613
  * SECURITY UPDATE: File overwrite when editing a file in a malicious
    directory in an untrusted repository.
    - debian/patches/CVE-2025-46835-pre1.patch: Remove windows specific code
      in git-gui/git-gui.sh.
    - debian/patches/CVE-2025-46835.patch: Add argument sanitizing, replace
      command instances with safe versions, and wrap instances with list in
      git-gui/git-gui.sh and other files in git-gui directory.
    - CVE-2025-46835
  * SECURITY UPDATE: Unintentional script execution due to improperly stripped
    carriage return.
    - debian/patches/CVE-2025-48384.patch: Add carriage return checks in
      config.c.
    - CVE-2025-48384
  * SECURITY UPDATE: Buffer overflow.
    - debian/patches/CVE-2025-48386.patch: Add target_append function and
      change wcsncat calls to target_append in
      contrib/credential/wincred/git-credential-wincred.c.
    - CVE-2025-48386

 -- Hlib Korzhynskyy <email address hidden> Thu, 03 Jul 2025 15:27:43 -0230

  git (1:2.34.1-1ubuntu1.12) jammy-security; urgency=medium

  * SECURITY UPDATE: crafted URL susceptibility
    - debian/patches/CVE-2024-50349-1.patch: sanitize credentials
      in credential.c, strbuf.c, strbuf.h,
      t/t0300-credentials.sh.
    - debian/patches/CVE-2024-50349-2.patch: credential sanitize
      the user prompt in credential.c, credential.h,
      t/t0300-credentials.sh, t/t5541-http-push-smart.sh,
      t/t5550-http-fetch-dumb.sh, t/t5551-http-fetch-smart.sh.
    - CVE-2024-50349
  * SECURITY UPDATE: Git may pass on Carriage Returns
    - debian/patches/CVE-2024-52006.patch: disallow carriage
      returns in the protocol by default in credential.c,
      credential.h, t/t0300-credentials.sh.
    - CVE-2024-52006

 -- Leonidas Da Silva Barbosa <email address hidden> Mon, 13 Jan 2025 17:13:20 -0300