Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[20.03] git: 2.25.3 -> 2.25.4 (security, CVE-2020-11008) #85785

Merged
merged 3 commits into from Apr 22, 2020
Merged

[20.03] git: 2.25.3 -> 2.25.4 (security, CVE-2020-11008) #85785

merged 3 commits into from Apr 22, 2020

Conversation

primeos
Copy link
Member

@primeos primeos commented Apr 22, 2020

Motivation for this change

Basically #85666 for 20.03.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

James Ottaway and others added 3 commits April 22, 2020 17:42
@primeos
git: Allow the update script to target non-latest versions
9b9fa3f 
This came in handy when I wanted to bump a patch version while avoiding
a new minor version.

(cherry picked from commit 4848eef)
@primeos
git: Fix the update.sh script and use HTTPS
0658740 
The syntax is ${parameter:-word} (i.e. previously this used
"latestTag" instead of the actual value).
(Fixes a regression from NixOS#85278.)

Also: Even though getting the latest tag isn't really security critical
(as long as Git itself is secure against untrusted input), I'd prefer to
switch from the Git to the HTTPS protocol (for authentication of the
server and encryption + uses a standard port).

(cherry picked from commit 6660421)
@primeos
git: 2.25.3 -> 2.25.4 (security, CVE-2020-11008)
961dbb2 
See: https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.17.5.txt
@ofborg ofborg bot requested review from peti, globin, the-kenny and wmertens April 22, 2020 15:53
@FRidh FRidh merged commit 825a88e into NixOS:staging-20.03 Apr 22, 2020
@FRidh FRidh added this to Done in Staging (stable) via automation Apr 22, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@peti peti Awaiting requested review from peti

@globin globin Awaiting requested review from globin

@the-kenny the-kenny Awaiting requested review from the-kenny

@wmertens wmertens Awaiting requested review from wmertens

Assignees
No one assigned
Labels
1.severity: security 10.rebuild-darwin: 501-1000 10.rebuild-darwin: 501+ 10.rebuild-linux: 501+ 10.rebuild-linux: 1001-2500
Projects
Staging (stable)
  
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@primeos @FRidh