merge(third_party/git): Merge squashed git subtree at v2.23.0 r/373

Merge commit '1b593e1ea4d2af0f6444d9a7788d5d99abd6fde5' as 'third_party/git'
author: Vincent Ambo <Vincent Ambo> 2020-01-11T23·36+0000
committer: Vincent Ambo <Vincent Ambo> 2020-01-11T23·40+0000
commit: 7ef0d62730840ded097b524104cc0a0904591a63 (patch)
tree: a670f96103667aeca4789a95d94ca0dff550c4ce /third_party/git/Documentation/RelNotes/2.14.5.txt
parent: 6a2a3007077818e24a3d56fc492ada9206a10cf0 (diff)
parent: 1b593e1ea4d2af0f6444d9a7788d5d99abd6fde5 (diff)
1 files changed, 16 insertions, 0 deletions
diff --git a/third_party/git/Documentation/RelNotes/2.14.5.txt b/third_party/git/Documentation/RelNotes/2.14.5.txt
new file mode 100644
index 000000000000..130645fb292a
--- /dev/null
+++ b/third_party/git/Documentation/RelNotes/2.14.5.txt
@@ -0,0 +1,16 @@
+Git v2.14.5 Release Notes
+=========================
+
+This release is to address the recently reported CVE-2018-17456.
+
+Fixes since v2.14.4
+-------------------
+
+ * Submodules' "URL"s come from the untrusted .gitmodules file, but
+   we blindly gave it to "git clone" to clone submodules when "git
+   clone --recurse-submodules" was used to clone a project that has
+   such a submodule.  The code has been hardened to reject such
+   malformed URLs (e.g. one that begins with a dash).
+
+Credit for finding and fixing this vulnerability goes to joernchen
+and Jeff King, respectively.
author	Vincent Ambo <Vincent Ambo>	2020-01-11T23·36+0000
committer	Vincent Ambo <Vincent Ambo>	2020-01-11T23·40+0000
commit	7ef0d62730840ded097b524104cc0a0904591a63 (patch)
tree	a670f96103667aeca4789a95d94ca0dff550c4ce /third_party/git/Documentation/RelNotes/2.14.5.txt
parent	6a2a3007077818e24a3d56fc492ada9206a10cf0 (diff)
parent	1b593e1ea4d2af0f6444d9a7788d5d99abd6fde5 (diff)