about summary refs log tree commit diff
path: root/third_party/git/Documentation/RelNotes/2.14.6.txt
diff options
context:
space:
mode:
authorVincent Ambo <mail@tazj.in>2021-09-21T10·03+0300
committerVincent Ambo <mail@tazj.in>2021-09-21T11·29+0300
commit43b1791ec601732ac31195df96781a848360a9ac (patch)
treedaae8d638343295d2f1f7da955e556ef4c958864 /third_party/git/Documentation/RelNotes/2.14.6.txt
parent2d8e7dc9d9c38127ec4ebd13aee8e8f586a43318 (diff)
chore(3p/git): Unvendor git and track patches instead r/2903
This was vendored a long time ago under the expectation that keeping
it in sync with cgit would be easier this way, but it has proven not
to be a big issue.

On the other hand, a vendored copy of git is an annoying maintenance
burden. It is much easier to rebase the single (dottime) patch that we
have.

This removes the vendored copy of git and instead passes the git
source code to cgit via `pkgs.srcOnly`, which includes the applied
patch so that cgit can continue rendering dottime.

Change-Id: If31f62dea7ce688fd1b9050204e9378019775f2b
Diffstat (limited to 'third_party/git/Documentation/RelNotes/2.14.6.txt')
-rw-r--r--third_party/git/Documentation/RelNotes/2.14.6.txt54
1 files changed, 0 insertions, 54 deletions
diff --git a/third_party/git/Documentation/RelNotes/2.14.6.txt b/third_party/git/Documentation/RelNotes/2.14.6.txt
deleted file mode 100644
index 72b7af679917..000000000000
--- a/third_party/git/Documentation/RelNotes/2.14.6.txt
+++ /dev/null
@@ -1,54 +0,0 @@
-Git v2.14.6 Release Notes
-=========================
-
-This release addresses the security issues CVE-2019-1348,
-CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352,
-CVE-2019-1353, CVE-2019-1354, and CVE-2019-1387.
-
-Fixes since v2.14.5
--------------------
-
- * CVE-2019-1348:
-   The --export-marks option of git fast-import is exposed also via
-   the in-stream command feature export-marks=... and it allows
-   overwriting arbitrary paths.
-
- * CVE-2019-1349:
-   When submodules are cloned recursively, under certain circumstances
-   Git could be fooled into using the same Git directory twice. We now
-   require the directory to be empty.
-
- * CVE-2019-1350:
-   Incorrect quoting of command-line arguments allowed remote code
-   execution during a recursive clone in conjunction with SSH URLs.
-
- * CVE-2019-1351:
-   While the only permitted drive letters for physical drives on
-   Windows are letters of the US-English alphabet, this restriction
-   does not apply to virtual drives assigned via subst <letter>:
-   <path>. Git mistook such paths for relative paths, allowing writing
-   outside of the worktree while cloning.
-
- * CVE-2019-1352:
-   Git was unaware of NTFS Alternate Data Streams, allowing files
-   inside the .git/ directory to be overwritten during a clone.
-
- * CVE-2019-1353:
-   When running Git in the Windows Subsystem for Linux (also known as
-   "WSL") while accessing a working directory on a regular Windows
-   drive, none of the NTFS protections were active.
-
- * CVE-2019-1354:
-   Filenames on Linux/Unix can contain backslashes. On Windows,
-   backslashes are directory separators. Git did not use to refuse to
-   write out tracked files with such filenames.
-
- * CVE-2019-1387:
-   Recursive clones are currently affected by a vulnerability that is
-   caused by too-lax validation of submodule names, allowing very
-   targeted attacks via remote code execution in recursive clones.
-
-Credit for finding these vulnerabilities goes to Microsoft Security
-Response Center, in particular to Nicolas Joly. The `fast-import`
-fixes were provided by Jeff King, the other fixes by Johannes
-Schindelin with help from Garima Singh.