libgit2 v1.4.6

This is a bugfix release to improve the SSH key handling functionality that was introduced in v1.4.5.

• libgit2 can now read the known_hosts file on Windows.
• libgit2 will now examine all keys for a particular host in the known_hosts file for matches, to support remote hosts with multiple key types.

All users of the v1.4 release line are recommended to upgrade.

libgit2 v1.5.1

libgit2, when compiled using the optional, included libssh2 backend, fails to verify SSH keys by default.

Description

When using an SSH remote with the optional, included libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of libgit2 require the caller to set the certificate_check field of libgit2's git_remote_callbacks structure - if a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default - without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a man-in-the-middle attack.

Beginning in libgit2 v1.4.5 and v1.5.1, libgit2 will now perform host key checking by default. Users can still override the default behavior using the certificate_check function.

The libgit2 security team would like to thank the Julia and Rust security teams for responsibly disclosing this vulnerability and assisting with fixing the vulnerability.

Users are encouraged to upgrade to v1.4.5 or v1.5.1.

libgit2 v1.4.5

libgit2, when compiled using the optional, included libssh2 backend, fails to verify SSH keys by default.

Description

When using an SSH remote with the optional, included libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of libgit2 require the caller to set the certificate_check field of libgit2's git_remote_callbacks structure - if a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default - without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a man-in-the-middle attack.

Beginning in libgit2 v1.4.5 and v1.5.1, libgit2 will now perform host key checking by default. Users can still override the default behavior using the certificate_check function.

The libgit2 security team would like to thank the Julia and Rust security teams for responsibly disclosing this vulnerability and assisting with fixing the vulnerability.

Users are encouraged to upgrade to v1.4.5 or v1.5.1.

libgit2 v1.5.0

This is release v1.5.0, "Stubentiger". This release adds the basis for an experimental CLI, continues preparing for SHA256 support, adds a benchmarking utility, and has numerous new features and bugfixes.

What's Changed

New features

• The beginnings of a git-compatible CLI for testing and benchmarking by @ethomson in #6133
• Add clone support to the CLI @ethomson in #6274
• A benchmarking suite to compare libgit2 functionality against git by @ethomson in #6235
• SHA256: add a SHA256 implementation backend by @ethomson in #6144
• SHA256: support dynamically loaded openssl by @ethomson in #6258
• Transport: introduce git_transport_smart_remote_connect_options by @lhchavez in #6278

Bug fixes

• Free parent and ref in lg2_commit before returning. by @apnadkarni in #6219
• xdiff: use xdl_free not free by @ethomson in #6223
• remote: do store the update_tips callback error value by @carlosmn in #6226
• win32: find_system_dirs does not return GIT_ENOTFOUND by @ethomson in #6228
• Some minor fixes for issues discovered by coverity by @ethomson in #6238
• Fix a string concatenation bug when validating extensions by @bierbaum in #6246
• fetch: support OID refspec without dst by @ethomson in #6251
• Fix crash when regenerating a patch with unquoted spaces in filename by @jorio in #6244
• midx: Fix an undefined behavior (left-shift signed overflow) by @lhchavez in #6260
• Validate repository directory ownership by @ethomson in #6266
• midx: fix large offset table check. by @ccstolley in #6309
• midx: do not verify the checksum on load by @carlosmn in #6291
• revparse: Remove error-prone, redundant test by @dongcarl in #6299
• refs: fix missing error message by @zawata in #6305
• CLI: progress updates by @ethomson in #6319
• A couple of simplications around mwindow by @carlosmn in #6288
• config: update config entry iteration lifecycle by @ethomson in #6320
• repo: allow administrator to own the configuration by @ethomson in #6321
• filter: Fix Segfault by @zawata in #6303
• ntlmclient: LibreSSL 3.5 removed HMAC_CTX_cleanup by @vishwin in #6340
• Fix internal git_sysdir_find* function usage within public git_config_find* functions by @kcsaul in #6335
• fix interactive rebase detect. by @i-tengfei in #6334
• cmake: drop posix dependency from pcre* detection by @jpalus in #6333
• Fix erroneously lax configuration ownership checks by @ethomson in #6341
• pack: don't pretend we support pack files v3 by @ethomson in #6347
• Fix creation of branches and tags with invalid names by @lya001 in #6348

Security fixes

• Fixes for CVE 2022-29187 by @ethomson in #6349
• zlib: update bundled zlib to v1.2.12 by @ethomson in #6350

Code cleanups

• sha256: refactoring in preparation for sha256 by @ethomson in #6265
• remote: Delete a now-inexistent API declaration by @lhchavez in #6276
• Fix missing include by @cschlack in #6277

Build and CI improvements

• meta: show build status for v1.3 and v1.4 branches by @ethomson in #6216
• cmake: Fix package name for system http-parser by @mgorny in #6217
• meta: update version number to v1.5.0-alpha by @ethomson in #6220
• cmake: export libraries needed to compile against libgit2 by @ethomson in #6239
• clone: update bitbucket tests by @ethomson in #6252
• diff: don't stat empty file on arm32 (flaky test) by @ethomson in #6259
• tests: support flaky stat by @ethomson in #6262
• Include test results data in CI by @ethomson in #6306
• Add a .clang-format with our style by @ethomson in #6023
• CI: limits actions scheduled workflows to the main repo by @ethomson in #6342
• ci: update dockerfiles for mbedTLS new url by @ethomson in #6343

Documentation improvements

• Add Pharo to language bindings by @theseion in #6310
• Add link to Tcl bindings for libgit2 by @apnadkarni in #6318
• fix couple of typos by @SkinnyMind in #6287
• update documentation for default status options by @ethomson in #6322

New Contributors

• @bierbaum made their first contribution in #6246
• @dongcarl made their first contribution in #6299
• @SkinnyMind made their first contribution in #6287
• @zawata made their first contribution in #6305
• @vishwin made their first contribution in #6340
• @i-tengfei made their first contribution in #6334
• @jpalus made their first contribution in #6333
• @lya001 made their first contribution in #6348

Full Changelog: v1.4.0...v1.5.0

libgit2 v1.4.4

🔒 This is a security release with multiple changes.

• This provides compatibility with git's changes to address CVE 2022-29187. As a follow up to CVE 2022-24765, now not only is the working directory of a non-bare repository examined for its ownership, but the .git directory and the .git file (if present) are also examined for their ownership.

• A fix for compatibility with git's (new) behavior for CVE 2022-24765 allows users on POSIX systems to access a git repository that is owned by them when they are running in sudo.

• A fix for further compatibility with git's (existing) behavior for CVE 2022-24765 allows users on Windows to access a git repository that is owned by the Administrator when running with escalated privileges (using runas Administrator).

• The bundled zlib is updated to v1.2.12, as prior versions had memory corruption bugs. It is not known that there is a security vulnerability in libgit2 based on these bugs, but we are updating to be cautious.

All users of the v1.4 release line are recommended to upgrade.

libgit2 v1.3.2

🔒 This is a security release with multiple changes.

• This provides compatibility with git's changes to address CVE 2022-29187. As a follow up to CVE 2022-24765, now not only is the working directory of a non-bare repository examined for its ownership, but the .git directory and the .git file (if present) are also examined for their ownership.

• A fix for compatibility with git's (new) behavior for CVE 2022-24765 allows users on POSIX systems to access a git repository that is owned by them when they are running in sudo.

• A fix for further compatibility with git's (existing) behavior for CVE 2022-24765 allows users on Windows to access a git repository that is owned by the Administrator when running with escalated privileges (using runas Administrator).

• The bundled zlib is updated to v1.2.12, as prior versions had memory corruption bugs. It is not known that there is a security vulnerability in libgit2 based on these bugs, but we are updating to be cautious.

All users of the v1.3 release line are recommended to upgrade.

libgit2 v1.4.3

🔒 This is a security release to provide compatibility with git's changes to address CVE 2022-24765.

libgit2 is not directly affected by this vulnerability, because libgit2 does not directly invoke any executable. But we are providing these changes as a security release for any users that use libgit2 for repository discovery and then also use git on that repository. In this release, we will now validate that the user opening the repository is the same user that owns the on-disk repository. This is to match git's behavior.

In addition, we are providing several correctness fixes where invalid input can lead to a crash. These may prevent possible denial of service attacks. At this time there are not known exploits to these issues.

Full list of changes:

• Validate repository directory ownership (v1.4) by @ethomson in #6267
• midx: Fix an undefined behavior (left-shift signed overflow) by @lhchavez in #6260
• fetch: support OID refspec without dst by @ethomson in #6251
• Fix crash when regenerating a patch with unquoted spaces in filename by @jorio in #6244

All users of the v1.4 release line are recommended to upgrade.

Full Changelog: v1.4.2...v1.4.3

libgit2 v1.3.1

🔒 This is a security release to provide compatibility with git's changes to address CVE 2022-24765.

libgit2 is not directly affected by this vulnerability, because libgit2 does not directly invoke any executable. But we are providing these changes as a security release for any users that use libgit2 for repository discovery and then also use git on that repository. In this release, we will now validate that the user opening the repository is the same user that owns the on-disk repository. This is to match git's behavior.

In addition, we are providing several correctness fixes where invalid input can lead to a crash. These may prevent possible denial of service attacks. At this time there are not known exploits to these issues.

Full list of changes:

• Validate repository directory ownership (v1.3) by @ethomson in #6268

All users of the v1.3 release line are recommended to upgrade.

libgit2 v1.4.2

🐞 This is a bugfix release with the following changes:

• remote: do store the update_tips callback error value by @carlosmn in #6226
• win32: find_system_dirs does not return GIT_ENOTFOUND by @ethomson in #6228

All users of the v1.4 release line are recommended to upgrade.

libgit2 v1.4.1

🐞 This is a bugfix release with the following changes:

• xdiff: use xdl_free not free by @ethomson
• cmake: Fix package name for system http-parser by @mgorny
• Free parent and ref in lg2_commit before returning by @apnadkarni

All users of the v1.4 release line are recommended to upgrade.

Full Changelog: v1.4.0...v1.4.1