From 0588f1527399f92292f193a523a652c9abc3a8e2 Mon Sep 17 00:00:00 2001
From: Todd Zullinger <tmz@pobox.com>
Date: Thu, 10 Aug 2017 17:40:10 -0400
Subject: [PATCH] Update to 2.14.1 (resolves CVE-2017-1000117)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

From the release announcement¹

    A malicious third-party can give a crafted "ssh://..." URL to an
    unsuspecting victim, and an attempt to visit the URL can result in
    any program that exists on the victim's machine being executed.
    Such a URL could be placed in the .gitmodules file of a malicious
    project, and an unsuspecting victim could be tricked into running
    "git clone --recurse-submodules" to trigger the vulnerability.

    Credits to find and fix the issue go to Brian Neel at GitLab, Joern
    Schneeweisz of Recurity Labs and Jeff King at GitHub.

¹ https://public-inbox.org/git/xmqqh8xf482j.fsf@gitster.mtv.corp.google.com/
---
 git.spec | 7 +++++--
 sources  | 4 ++--
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/git.spec b/git.spec
index 26dd9c4..563b400 100644
--- a/git.spec
+++ b/git.spec
@@ -44,8 +44,8 @@
 %endif
 
 Name:           git
-Version:        2.14.0
-Release:        2%{?dist}
+Version:        2.14.1
+Release:        1%{?dist}
 Summary:        Fast Version Control System
 License:        GPLv2
 Group:          Development/Tools
@@ -730,6 +730,9 @@ rm -rf %{buildroot}
 # No files for you!
 
 %changelog
+* Thu Aug 10 2017 Todd Zullinger <tmz@pobox.com> - 2.14.1-1
+- Update to 2.14.1 (resolves CVE-2017-1000117)
+
 * Tue Aug 08 2017 Iryna Shcherbina <ishcherb@redhat.com> - 2.14.0-2
 - Add a build-time dependency on python2-devel for p4
   Resolves: #1479713
diff --git a/sources b/sources
index ee9e485..d69199d 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (git-2.14.0.tar.xz) = 4410ec9c40fed8efeba26ae57412975cfc4c78a43d89b0f1a2412e578a14b12e24ac7537f6b5efe83087006f27a49911facb4a9007fbc59e1548d15fd5f22dd9
-SHA512 (git-2.14.0.tar.sign) = d2344e75e716ac44835921fb70406d3278e91d2b0875200a3dcceef975a54509fead2fb652bda977d585ffe909f71fd0ad8c959f54c3c5eced9fdf1be976c1b2
+SHA512 (git-2.14.1.tar.xz) = bee35ad9c6a0d0588045ec2fe5f6987cb1eeb3961cdf33cd9b51ae52017969131ea4ec09908f9b30944f85b0daa99614fb42c248c9c8dac5f21a90e2866c33b4
+SHA512 (git-2.14.1.tar.sign) = 695509fa3f8f66beb6048682914873ee445bfc9e87192cdeced060c6088681f1cf6dc292c0831a1313c294981b77c99f4bd2da586e0bbb35db1169f42b71549c