Update to 2.14.1 (resolves CVE-2017-1000117)

From the release announcement¹

    A malicious third-party can give a crafted "ssh://..." URL to an
    unsuspecting victim, and an attempt to visit the URL can result in
    any program that exists on the victim's machine being executed.
    Such a URL could be placed in the .gitmodules file of a malicious
    project, and an unsuspecting victim could be tricked into running
    "git clone --recurse-submodules" to trigger the vulnerability.

    Credits to find and fix the issue go to Brian Neel at GitLab, Joern
    Schneeweisz of Recurity Labs and Jeff King at GitHub.

¹ https://public-inbox.org/git/xmqqh8xf482j.fsf@gitster.mtv.corp.google.com/
This commit is contained in:
Todd Zullinger 2017-08-10 17:40:10 -04:00
parent abdac93434
commit 0588f15273
2 changed files with 7 additions and 4 deletions

View File

@ -44,8 +44,8 @@
%endif
Name: git
Version: 2.14.0
Release: 2%{?dist}
Version: 2.14.1
Release: 1%{?dist}
Summary: Fast Version Control System
License: GPLv2
Group: Development/Tools
@ -730,6 +730,9 @@ rm -rf %{buildroot}
# No files for you!
%changelog
* Thu Aug 10 2017 Todd Zullinger <tmz@pobox.com> - 2.14.1-1
- Update to 2.14.1 (resolves CVE-2017-1000117)
* Tue Aug 08 2017 Iryna Shcherbina <ishcherb@redhat.com> - 2.14.0-2
- Add a build-time dependency on python2-devel for p4
Resolves: #1479713

View File

@ -1,2 +1,2 @@
SHA512 (git-2.14.0.tar.xz) = 4410ec9c40fed8efeba26ae57412975cfc4c78a43d89b0f1a2412e578a14b12e24ac7537f6b5efe83087006f27a49911facb4a9007fbc59e1548d15fd5f22dd9
SHA512 (git-2.14.0.tar.sign) = d2344e75e716ac44835921fb70406d3278e91d2b0875200a3dcceef975a54509fead2fb652bda977d585ffe909f71fd0ad8c959f54c3c5eced9fdf1be976c1b2
SHA512 (git-2.14.1.tar.xz) = bee35ad9c6a0d0588045ec2fe5f6987cb1eeb3961cdf33cd9b51ae52017969131ea4ec09908f9b30944f85b0daa99614fb42c248c9c8dac5f21a90e2866c33b4
SHA512 (git-2.14.1.tar.sign) = 695509fa3f8f66beb6048682914873ee445bfc9e87192cdeced060c6088681f1cf6dc292c0831a1313c294981b77c99f4bd2da586e0bbb35db1169f42b71549c