From bbd710a456cde19fbe4d99297807f051f03bb952 Mon Sep 17 00:00:00 2001 From: lhchavez Date: Thu, 14 Apr 2022 06:49:59 -0700 Subject: [PATCH] Uprev libgit to v1.3.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 🔒 This is a security release to provide compatibility with git's changes to address [CVE 2022-24765](https://github.blog/2022-04-12-git-security-vulnerability-announced/). libgit2 (and by extension git2go) are not directly affected by this vulnerability, because libgit2 does not directly invoke any executable. But we are providing these changes as a security release for any users that use libgit2 for repository discovery and then also use git on that repository. In this release, we will now validate that the user opening the repository is the same user that owns the on-disk repository. This is to match git's behavior. In addition, we are providing several correctness fixes where invalid input can lead to a crash. These may prevent possible denial of service attacks. At this time there are not known exploits to these issues. --- .github/workflows/ci.yml | 2 +- vendor/libgit2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bc8e3bd..dd0cde2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -62,7 +62,7 @@ jobs: fail-fast: false matrix: libgit2: - - 'v1.3.0' + - 'v1.3.1' name: Go (system-wide, dynamic) runs-on: ubuntu-20.04 diff --git a/vendor/libgit2 b/vendor/libgit2 index b7bad55..1f5e7f9 160000 --- a/vendor/libgit2 +++ b/vendor/libgit2 @@ -1 +1 @@ -Subproject commit b7bad55e4bb0a285b073ba5e02b01d3f522fc95d +Subproject commit 1f5e7f9add5c8bbc602b14feaec216c8877c3c84 -- 2.45.2