From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Fri, 13 Jul 2018 22:50:01 +0200 Subject: [ANNOUNCE] CGIT v1.2 Released Message-ID: <153100f1c232fcdc@frisell.zx2c4.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi folks, CGit 1.2 is now available. As it's the first release in quite some time, there are a few exciting new features. == CGit on the Web == * homepage: https://git.zx2c4.com/cgit/about/ * git repository: https://git.zx2c4.com/cgit/ * git clone: git://git.zx2c4.com/cgit * mailing list: cgit at lists.zx2c4.com * mailing list subscribe: https://lists.zx2c4.com/mailman/listinfo/cgit == ChangeLog v1.2 == 41 files changed, 1000 insertions(+), 497 deletions(-) Notable Changes: * Update to git 2.18. * Proper age sorting of repositories. * Print symlink content properly. * Numerous fixes to our cache system, addressing issues experienced on high- volume sites like kernel.org. * A new view for git-blame, showing the latest commit for each line of a given file. * Annotated tags are now printed in a slightly darker color. * The prefix for snapshots can now be controlled from the configuration file via repo.snapshot-prefix=, rather than only using the repo's basename. This is useful for serving, say, linux-4.17.7.tar.gz from a repository called linux-stable.git. * The snapshot tarball compression types now control which archives are allowed to be served, instead of merely controlling what was shown as a link on the webpage. This allows sitemasters to keep their cache size under control and also prohibit the use of expensive compression routines. * Signatures can now be added for snapshot tarballs through the use of git notes. Details are found in the cgitrc(5) man page: https://git.zx2c4.com/cgit/tree/cgitrc.5.txt?id=22583c4992852fff08559c35fde7bf6f673d1644#n770 * The extra-head-content= option was added for appending additional meta-tags to the section, such as those required for the `go get` utility. * Numerous important bug fixes, crash fixes, memory leak fixes, and compiler fixes. This release contains commits from: John Keeping, Christian Hesse, Jeff Smith, Jason A. Donenfeld, Lukas Fleischer, Andy Green, Ville Skytt?, Todd Zullinger, Peter Colberg, Jon DeVree, and Daniel M. Weeks. == Downloading == This release is available in compressed tarball form here: https://git.zx2c4.com/cgit/snapshot/cgit-1.2.tar.xz SHA2-256: d5622ba7c3eb87de402da6fe3a092219546a917ff627966e99c9f18ba32a4832 BLAKE2b-256: b49fb44a8ae70666a88937a6dbe218518a1217127b9b54c6c4e928003f63d19b A PGP signature of that file decompressed is available here: https://git.zx2c4.com/cgit/snapshot/cgit-1.2.tar.asc Signing key: AB9942E6D4A4CFC3412620A749FC7012A5DE03AE Enjoy, Jason -----BEGIN PGP SIGNATURE----- iQJEBAEBCAAuFiEEq5lC5tSkz8NBJiCnSfxwEqXeA64FAltJD/QQHGphc29uQHp4 MmM0LmNvbQAKCRBJ/HASpd4DrlVYEAC6Y2xYCrbDtwrisnyfYfX0f99Z2fd3IAWK /1Vs/ad7UZyltDLYjuyDsjfr22bt1E4aw0uH9XYQSNuFsQmyiq5D6KS/LvKjtcHt N9pK8Nl5SBLZxAKcGCiLV6JSAhffd62S1ebwPdLhZMF8ucyIwWvpWunqhdQqDXgo AL2VrjiSoReu3Fn9WocWPttoiaxde5071+nxSmzAx1VZWXJIxc/kVIcmNs3VuIb9 6MU+S+nbtGJ7Ni9+c6RK9wX9odMu2ExwTPRYJPRNr+70VASCvgfqI5pb5bQ68ewS lkAYaFSoBXXOyuo/kr5gWyiQGy3/0q38Jzc1GxhwepKpzBMiV2ZzoOnPkgaXgbSX 0LLVh6iLY3Xlzj/X1F1Zu5yoXDkp21GRekEyUEUEITW2NGvAK0NDts/02Cr8OvWE ZmH+fETb1h2ZsmWxNK0H58E631vx0rjevHhJw9af7c8XKr6zw+ZarmfyuF4hlq73 2HMzJg7KXhtCpOj/nswkwczIztl7GxncGwvstYmFdFVkrgySto6Sk7FoVbJnlWtQ 7WTrYSXudlqO+EuFfEZfwwE1m69Tk7kxGH7cMlyqUnLrsqqOuGf5Y8dbWfBhcckS XlhxAGeJzY7FEBFKyXXk1n2FMeofqu324vJkQgGqTfZGDJodz/RQ97bFxlT5SeSo cpQW/UyqgQ== =hK3U -----END PGP SIGNATURE----- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Fri, 3 Aug 2018 17:12:29 +0200 Subject: [ANNOUNCE] CGIT v1.2.1 Released In-Reply-To: <153100f1c232fcdc@frisell.zx2c4.com> References: <153100f1c232fcdc@frisell.zx2c4.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi folks, CGit 1.2.1 is now available. It contains an important security fix and everybody should update immediately. == CGit on the Web == * homepage: https://git.zx2c4.com/cgit/about/ * git repository: https://git.zx2c4.com/cgit/ * git clone: git://git.zx2c4.com/cgit * mailing list: cgit at lists.zx2c4.com * mailing list subscribe: https://lists.zx2c4.com/mailman/listinfo/cgit == ChangeLog v1.2.1 == 6 files changed, 465 insertions(+), 39 deletions(-) Notable Changes: * The authentication filters have been revamped, and a new one using file-based access lists has been added. * A bug fix for the cached rc file for the snapshot-prefix. * A fix for a critical directory traversal vulnerability, when `enable-http-clone=1` is not turned off, discovered by Jann Horn. This is pretty nasty and all users must update immediately. This release contains commits from: Jason A. Donenfeld and Konstantin Ryabitsev. == Downloading == This release is available in compressed tarball form here: https://git.zx2c4.com/cgit/snapshot/cgit-1.2.1.tar.xz SHA2-256: 3c547c146340fb16d4134326e7524bfb28ffa681284f1e3914bde1c27a9182bf BLAKE2b-256: f6c9a6fe59d3f157da835c6bc36d58f9389cc6cdbc7bbbf6bfa65be0c5ad323c A PGP signature of that file decompressed is available here: https://git.zx2c4.com/cgit/snapshot/cgit-1.2.1.tar.asc Signing key: AB9942E6D4A4CFC3412620A749FC7012A5DE03AE Enjoy, Jason -----BEGIN PGP SIGNATURE----- iQJEBAEBCAAuFiEEq5lC5tSkz8NBJiCnSfxwEqXeA64FAltkcI4QHGphc29uQHp4 MmM0LmNvbQAKCRBJ/HASpd4Drr+tD/9+yR0QQfQtJiEBFEyDUsjMdRX/kcaMh7TV mj4B00LH+JF9MWgR2PDh7QeiSrVa/L3TaT9VmqyU3GyKuLzNOowuNGKErlve9w9a ylW/mFuksoTylkWaty4fYj8r+ZMiyaZNhVDG5fw8LdYsx2ltwhXAzkTooYqWEA9y G02G2VbslvOZzG+etvUWrDFlkO/LLdkyaN/ezhIETBI6WCA8B6CQw57829NSp9AA DEysh4cIOBihbSEya95l/5U5kZ2rnpqmmbbdUYkoVW0uKuhDKz+X3oyDvZuZctQ1 UbbruPa2s9K1z5bSL5aPTFayr7i26qDTyYVsdx8gkJVv24xDuVWwu70KqJC54Bhm ZHJNb5iQ1LnCIsrj74z4TU1bcqvKy7t/Kk3aW0+KE2koFew2KelMS3oGcEMTTSl2 Skr5GZGuHgSq3XpZZ5bPbJj/wZ9a/+FzEkFgGzwHRiBwXHoMFPVdADiUYhl+fcgj W23Iewe/qh5Ygsj2KH3p4J5WWqfLwCJ3aXQsDu+qijuXFo5ye1U/SoEjqIjTRIF1 cqT+d5IW/aSp2JaIjb/LVs1j0iNqU2jNgRyKx+RtVALProLwWvg0NGY3rf8RUVff sY5OEXGWnLQBVuY/ttuEqWtfTGVi/pa8pSCJ2rWpOHtbLFJX8WCcCZYJvltYGMSk rKvAEIc8Gw== =D1Bi -----END PGP SIGNATURE----- From mboxrd@z Thu Jan 1 00:00:00 1970 From: tmz at pobox.com (Todd Zullinger) Date: Fri, 3 Aug 2018 13:06:24 -0400 Subject: [ANNOUNCE] CGIT v1.2.1 Released In-Reply-To: References: <153100f1c232fcdc@frisell.zx2c4.com> Message-ID: <20180803170624.GF3764@zaya.teonanacatl.net> Hi Jason, Jason A. Donenfeld wrote: > Hi folks, > > CGit 1.2.1 is now available. It contains an important security fix and > everybody should update immediately. Yikes, thanks for the heads-up! Do you know if there is a CVE assigned for this issue yet? It sounds like it affects all releases from 0.8 through 1.2, right? Thanks, -- Todd ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The power of accurate observation is frequently called cynicism by those who don't have it. -- George Bernard Shaw -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Fri, 3 Aug 2018 19:31:38 +0200 Subject: [ANNOUNCE] CGIT v1.2.1 Released In-Reply-To: <20180803170624.GF3764@zaya.teonanacatl.net> References: <153100f1c232fcdc@frisell.zx2c4.com> <20180803170624.GF3764@zaya.teonanacatl.net> Message-ID: On Fri, Aug 3, 2018 at 7:06 PM Todd Zullinger wrote: > Yikes, thanks for the heads-up! Do you know if there is a > CVE assigned for this issue yet? I've requested one. > It sounds like it affects > all releases from 0.8 through 1.2, right? Yes. From mboxrd@z Thu Jan 1 00:00:00 1970 From: tmz at pobox.com (Todd Zullinger) Date: Fri, 3 Aug 2018 14:15:39 -0400 Subject: [ANNOUNCE] CGIT v1.2.1 Released In-Reply-To: References: <153100f1c232fcdc@frisell.zx2c4.com> <20180803170624.GF3764@zaya.teonanacatl.net> Message-ID: <20180803181538.GG3764@zaya.teonanacatl.net> Jason A. Donenfeld wrote: > On Fri, Aug 3, 2018 at 7:06 PM Todd Zullinger wrote: >> Yikes, thanks for the heads-up! Do you know if there is a >> CVE assigned for this issue yet? > > I've requested one. > >> It sounds like it affects >> all releases from 0.8 through 1.2, right? > > Yes. Thanks for the quick fixes and to Jann for finding this. I've got updates in the queue for Fedora and EPEL (RHEL/CentOS). While testing, I was worried that I either flubbed something or the patch wasn't sufficient because of the caching. Luckily, all I had to do was clear that or wait 5 minutes for the cache ttl to expire. -- Todd ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence. -- Jeremy S. Anderson From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Fri, 3 Aug 2018 21:08:16 +0200 Subject: [ANNOUNCE] CGIT v1.2.1 Released In-Reply-To: References: <153100f1c232fcdc@frisell.zx2c4.com> Message-ID: On Fri, Aug 3, 2018 at 5:12 PM Jason A. Donenfeld wrote: > * A fix for a critical directory traversal vulnerability, when > `enable-http-clone=1` is not turned off, discovered by Jann Horn. > This is pretty nasty and all users must update immediately. This has been assigned CVE-2018-14912.