Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the sake of history and digital heritage. The group is 100% composed of volunteers and interested parties, and has expanded into a large amount of related projects for saving online and digital history.
This is a security release that includes updates for several CVEs reported to the Git project, including CVE-2019-1348, CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, CVE-2019-1353, CVE-2019-1354, and CVE-2019-1357.
This release includes libgit2 v0.28.4.
Assets
2
This is a security and bugfix release that fixes minor possible security issues, including validation that the ProgramData configuration area is owned by an administrator or the current user, and handling commit objects with a large number of parents.
This release includes libgit2 v0.28.3.
Assets
2
Additions
- Add
CherryPickCommitIntoIndextoObjectDatabase - The underlying native library (libgit2) now no longer relies on libcurl
- The underlying native library now no longer relies on zlib
- Add
IndentHeuristicoption toCompareOptions
Assets
2
This is a prerelease for the forthcoming LibGit2Sharp v0.26.0, based on libgit2 v0.28.0.
Assets
2
This is a security and bugfix release that fixes a number of minor possible security issues, including possible errors during the parsing of commit and tag information. In addition, a number of performance improvements and bugfixes are included in the underlying native library.
This release includes libgit2 v0.27.7.
Assets
2
This is a security release fixing a number of possible security issues, including hardening validation for submodule validation to help protect against CVE 2018-17456, and a number of possible errors found by fuzzing the libgit2 native library.
This release includes libgit2 v0.27.5.
Assets
2
This release includes all the changes from the previous v0.25.1 release, and correctly updates the version number to v0.25.2.
The prior release, v0.25.1, would incorrectly claim that it was an v0.25.0 prerelease when queried for its version.
v0.25.1 was not available as a NuGet package for this reason.
There are no changes from v0.25.1 other than the version number update.
Assets
2
This is a security release fixing insufficient validation of submodule names (CVE-2018-11235, reported by Etienne Stalmans) and disallows .gitmodules files as symlinks. This includes libgit2 v0.27.1, whose release notes follow.
While submodule names come from the untrusted .gitmodules file, we blindly append the name to $GIT_DIR/modules to construct the final path of the submodule repository. In case the name contains e.g. ../, an adversary would be able to escape your repository and write data at arbitrary paths. In accordance with git, we now enforce some rules for submodule names which will cause libgit2 to ignore these malicious names.
Adding a symlink as .gitmodules into the index from the workdir or checking out such files is not allowed as this can make a Git implementation write outside of the repository and bypass the fsck checks for CVE-2018-11235.
libgit2 (and LibGit2Sharp) are not susceptible to CVE-2018-11233.
Assets
2
LibGit2Sharp is now .NET Core 2.0+ and .NET Framework compatible.
Additions
GitObjectnow has aPeelmethod that will let you peel (for example)
aTagto aTree.MergeOptionsnow includes an option toIgnoreWhitespaceChanges.TreeDefinitioncan nowAddan object with only the ID, which allows
users of large files to add entries without realizing aBlob.ObjectDatabasecan nowWriteaStream, which allows users of
large files to stream an object into storage without loading it into
memory.ObjectDatabasecan nowMergeCommitsIntoIndexallowing users to perform
an in-memory merge that produces anIndexstructure with conflicts.- Users can enable or disable dependent object existence checks when
creating new objects withGlobalSettings.SetEnableStrictObjectCreation - Users can enable or disable
ofs_deltasupport with
GlobalSettings.SetEnableOfsDelta
Changes
- Status now does not show untracked files by default. To retrieve
untracked files, included theStatusOptions.IncludeUntrackedand/or
theStatusOptions.RecurseUntrackedDirsoptions. - Status now does not show the ignored files by default. To retrieve
ignored files, include theStatusOptions.IncludeIgnoredoption. Commands.Pullcan now provide anullvalue forPullOptions,
which indicates that default values should be used.
Fixes
- The exception thrown when the native library cannot be loaded is now
able to be caught and will no longer crash the process. - Getting the
Notescollection from aRepositoryno longer throws an
exception when the repository has no notes.
Assets
2
This is a security release fixing two issues. It updates libgit2's included zlib to 1.2.11, and includes a libgit2 fix for memory handling issues when reading crafted repository index files.