File _patchinfo of Package patchinfo.40079
<patchinfo incident="40079">
<issue tracker="bnc" id="1218664">`git instaweb` on OpenSUSE Tumbleweed: /etc/gitweb-common.conf is not being read</issue>
<issue tracker="bnc" id="1212476">patch shebang line match the python version required in the package</issue>
<issue tracker="bnc" id="1243197">Update git to 2.49 or newer to accomodate the git workflow</issue>
<issue tracker="bnc" id="1218588">git instaweb returns "No such projects found"</issue>
<issue tracker="bnc" id="1245943">VUL-0: CVE-2025-48384: git: script may be unintentionally executed after checkout due to CRLF transforming</issue>
<issue tracker="bnc" id="1245938">VUL-0: CVE-2025-27613: git: arbitrary writable file creation and truncation in Gitk</issue>
<issue tracker="bnc" id="1245946">VUL-0: CVE-2025-48385: git: arbitrary code execution due to protocol injection via fetching advertised bundle</issue>
<issue tracker="bnc" id="1216545">git-web package update overrides custom app armor profile in /etc</issue>
<issue tracker="bnc" id="1245942">VUL-0: CVE-2025-46835: git: untrusted repository cloning can lead to arbitrary writable file creation in Git GUI</issue>
<issue tracker="bnc" id="1245939">VUL-0: CVE-2025-27614: git: arbitrary script execution via repo clonation in gitk</issue>
<issue tracker="cve" id="2025-27613"/>
<issue tracker="cve" id="2025-27614"/>
<issue tracker="cve" id="2025-46835"/>
<issue tracker="cve" id="2025-48384"/>
<issue tracker="cve" id="2025-48385"/>
<packager>adrianSuSE</packager>
<rating>important</rating>
<category>security</category>
<summary>security update for git, git-lfs, obs-scm-bridge, python-PyYAML</summary>
<description>This update for git, git-lfs, obs-scm-bridge, python-PyYAML fixes the following issues:
git was updated from version 2.43.0 to 2.51.0 (bsc#1243197):
- Security issues fixed:
* CVE-2025-27613 Fixed arbitrary writable file creation and truncation in Gitk(bsc#1245938)
* CVE-2025-27614 Fixed arbitrary script execution via repository clonation in gitk(bsc#1245939)
* CVE-2025-46835 Fixed arbitrary writable file creation in Git GUI when untrusted repository is cloned (bsc#1245942)
* CVE-2025-48384 Fixed the unintentional execution of a script after checkout due to CRLF transforming (bsc#1245943)
* CVE-2025-48385 Fixed arbitrary code execution due to protocol injection via fetching advertised bundle(bsc#1245946)
- Other changes and bugs fixed:
- Other changes and bugs fixed:
* Added SHA256 support (bsc#1243197)
* Git moved to /usr/libexec/git/git and updated AppArmor profile
accordingly (bsc#1218588)
* gitweb AppArmor profile: allow reading etc/gitweb-common.conf (bsc#1218664)
* Do not replace apparmor configuration (bsc#1216545)
* Fixed the Python version required (bsc#1212476)
- Version Updates Release Notes:
* https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.51.0.adoc
* https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.1.adoc
* https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.0.adoc
* https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.49.0.adoc
* https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.1.adoc
* https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.48.0.adoc
* https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.1.adoc
* https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.47.0.adoc
* https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.2.adoc
* https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.1.adoc
* https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.46.0.adoc
* https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.3.adoc
* https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.2.adoc
* https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.1.adoc
* https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.45.0.adoc
* https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.44.0.adoc
* https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.3.adoc
* https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.2.adoc
* https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.43.1.adoc
git-lfs is included in version 3.7.0.
python-PyYAML was updated from version 6.0.1 to 6.0.2:
- Added support for Cython 3.x and Python 3.13
obs-scm-bridge was updated from version 0.5.4 to 0.7.4:
- New Features and Improvements:
* Manifest File Support: Support has been added for a `_manifest file`, which serves as a successor to the `_subdirs`
file.
* Control Over Git Information: A new noobsinfo query parameter was added to hide git information in source and binary
files.
* Enhanced Submodule Handling: The system now records the configured branch of submodules and stays on that branch
during checkout.
* Git SHA Tracking: In project mode, the tool now uses git SHA sums instead of md5sum to track package sources.
* SSH URL Support: ssh:// SCM URLs can now be used.
* Improved Error Messages: Error reporting for invalid files within package subdirectories has been improved.
* Standardized Config Location: In project mode, the _config file is now always located in the top-level directory,
even when using subdirs.
* Reduced Unnecessary Changes: In project mode, unnecessary modifications to the package meta URL are now avoided.
* Limit Asset Handling: A new mechanism has been introduced to limit how assets are handled.
* Branch Information Export: The trackingbranch is now exported to scmsync.obsinfo.
- Bugs fixed:
* Syntax Fix: A syntax issue was corrected.
* Git Submodule Parsing: The .gitsubmodule parser was fixed to correctly handle files that contain a mix of spaces and
tabs.
</description>
</patchinfo>
