Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_158741301313050"
MIME-Version: 1.0
Date: Mon, 20 Apr 2020 20:03:33 +0000
From: "Leonardo Taccari" <leot@netbsd.org>
Subject: CVS commit: pkgsrc/devel
To: pkgsrc-changes@NetBSD.org
Reply-To: leot@netbsd.org
Message-Id: <20200420200333.0DBD1FB27@cvs.NetBSD.org>
Sender: pkgsrc-changes-owner@NetBSD.org
Precedence: bulk

This is a multi-part message in MIME format.

--_----------=_158741301313050
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"

Module Name:	pkgsrc
Committed By:	leot
Date:		Mon Apr 20 20:03:32 UTC 2020

Modified Files:
	pkgsrc/devel/git: Makefile.version
	pkgsrc/devel/git-base: distinfo

Log Message:
git: Update to 2.26.2

Changes:
2.26.2
------
This release is to address the security issue: CVE-2020-11008

 * With a crafted URL that contains a newline or empty host, or lacks
   a scheme, the credential helper machinery can be fooled into
   providing credential information that is not appropriate for the
   protocol in use and host being contacted.

   Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
   credentials are not for a host of the attacker's choosing; instead,
   they are for some unspecified host (based on how the configured
   credential helper handles an absent "host" parameter).

   The attack has been made impossible by refusing to work with
   under-specified credential patterns.

Credit for finding the vulnerability goes to Carlo Arenas.


To generate a diff of this commit:
cvs rdiff -u -r1.87 -r1.88 pkgsrc/devel/git/Makefile.version
cvs rdiff -u -r1.99 -r1.100 pkgsrc/devel/git-base/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_158741301313050
Content-Disposition: inline
Content-Length: 1864
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/devel/git/Makefile.version
diff -u pkgsrc/devel/git/Makefile.version:1.87 pkgsrc/devel/git/Makefile.version:1.88
--- pkgsrc/devel/git/Makefile.version:1.87	Tue Apr 14 18:27:31 2020
+++ pkgsrc/devel/git/Makefile.version	Mon Apr 20 20:03:32 2020
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile.version,v 1.87 2020/04/14 18:27:31 leot Exp $
+# $NetBSD: Makefile.version,v 1.88 2020/04/20 20:03:32 leot Exp $
 #
 # used by devel/git/Makefile.common
 # used by devel/git-cvs/Makefile
 # used by devel/git-svn/Makefile
 
-GIT_VERSION=	2.26.1
+GIT_VERSION=	2.26.2

Index: pkgsrc/devel/git-base/distinfo
diff -u pkgsrc/devel/git-base/distinfo:1.99 pkgsrc/devel/git-base/distinfo:1.100
--- pkgsrc/devel/git-base/distinfo:1.99	Tue Apr 14 18:27:31 2020
+++ pkgsrc/devel/git-base/distinfo	Mon Apr 20 20:03:32 2020
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.99 2020/04/14 18:27:31 leot Exp $
+$NetBSD: distinfo,v 1.100 2020/04/20 20:03:32 leot Exp $
 
-SHA1 (git-2.26.1.tar.xz) = 9ec4ef53d157cb376aaedc0ca529d3857c3f8bf6
-RMD160 (git-2.26.1.tar.xz) = a5ec065b66bfc3bb8baa42f7f864e73595d99fc6
-SHA512 (git-2.26.1.tar.xz) = 1defa0d94e26e474abd47ec8a0c43c05152e10a5aca5f1aee7480ef0db9f5abd03275fefb7c4e0ee816199c87c0b2a13c164c5f7aa5ff36cafdacf27b3573785
-Size (git-2.26.1.tar.xz) = 6006104 bytes
+SHA1 (git-2.26.2.tar.xz) = bdb5eb6c014d7c372be70782a5155d964abe2c08
+RMD160 (git-2.26.2.tar.xz) = d73cfb9020e0a346c954d607b5301e2dd0d9b818
+SHA512 (git-2.26.2.tar.xz) = 5d92d07b171c5cd6e89a29c1211c73c1c900cd51c74d690aebfb4a3d0e93b541b09b42b6d6a1a82f5c3d953096771f9a8605c63be139f559f58698c1a0eabcfc
+Size (git-2.26.2.tar.xz) = 6007864 bytes
 SHA1 (patch-Documentation_Makefile) = 6025adac0fbb4b403f3954e6dac9d690dfb22daa
 SHA1 (patch-Makefile) = 73741b9d9a1b32bb47db48a7c546c4ff10fb41d6
 SHA1 (patch-builtin_receive-pack.c) = 271df08d874a11b41f33aade64352040bc028fa2


--_----------=_158741301313050--