git-2.30.2

[ken@…]

Released today, with an announcement at github ​https://github.blog/2021-03-09-git-clone-vulnerability-announced/ that it fixes CVE-2021-21300 - see ​https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21300

Normal priority, because on linux this not only requires clean/smudge filters to be used, it requires use of a case-insensitive filesystem which supports symbolic links. That applies to macOS and windows, but for linux you would need to either configure ext4 or f2fs to be case-insensitive, or else clone onto an NTFS, HFS+ or APFS filesystem.

[Douglas R. Reno]

Git v2.30.2 Release Notes
=========================

This release merges up the fixes that appear in v2.17.6, v2.18.5,
v2.19.6, v2.20.5, v2.21.4, v2.22.5, v2.23.4, v2.24.4, v2.25.5,
v2.26.3, v2.27.1, v2.28.1 and v2.29.3 to address the security
issue CVE-2021-21300; see the release notes for these versions
for details.

Git v2.17.6 Release Notes
=========================

This release addresses the security issues CVE-2021-21300.

Fixes since v2.17.5
-------------------

 * CVE-2021-21300:
   On case-insensitive file systems with support for symbolic links,
   if Git is configured globally to apply delay-capable clean/smudge
   filters (such as Git LFS), Git could be fooled into running
   remote code during a clone.

Credit for finding and fixing this vulnerability goes to Matheus
Tavares, helped by Johannes Schindelin.

Since we're not affected (as mentioned in the ticket description - thank you Ken), I'll leave it as normal.

[Douglas R. Reno]

Something interesting of note:

The build with the tests only took 2.5 SBU for me. I think this is due to building on an SSD.

Test results are identical to previous versions:

fixed   0
success 22806
failed  0
broken  241
total   23368

[Douglas R. Reno]

Fixed at r24365

[Bruce Dubbs]

Milestone renamed