diff options
author | Edward Thomson <ethomson@edwardthomson.com> | 2022-07-12 13:12:57 -0400 |
---|---|---|
committer | Edward Thomson <ethomson@edwardthomson.com> | 2022-07-12 13:12:57 -0400 |
commit | 3b7d756ccfaf9ec2922d2db22e6cc98f8ab6580c (patch) | |
tree | 0008dfaa7773a1ce8d4db97cf69d2127f567df10 | |
parent | bb8fc663b25ab6c68152476742e288ecc8e9697d (diff) | |
download | libgit2-3b7d756ccfaf9ec2922d2db22e6cc98f8ab6580c.tar.gz |
meta: add changelog for v1.4.4v1.4.4
-rw-r--r-- | docs/changelog.md | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/docs/changelog.md b/docs/changelog.md index 32a67d2c7..a6794ab9d 100644 --- a/docs/changelog.md +++ b/docs/changelog.md @@ -1,3 +1,18 @@ +v1.4.4 +------ + +🔒 This is a security release with multiple changes. + +* This provides compatibility with git's changes to address CVE 2022-29187. As a follow up to [CVE 2022-24765](https://github.blog/2022-04-12-git-security-vulnerability-announced/), now not only is the working directory of a non-bare repository examined for its ownership, but the `.git` directory and the `.git` file (if present) are also examined for their ownership. + +* A fix for compatibility with git's (new) behavior for CVE 2022-24765 allows users on POSIX systems to access a git repository that is owned by them when they are running in `sudo`. + +* A fix for further compatibility with git's (existing) behavior for CVE 2022-24765 allows users on Windows to access a git repository that is owned by the Administrator when running with escalated privileges (using `runas Administrator`). + +* The bundled zlib is updated to v1.2.12, as prior versions had memory corruption bugs. It is not known that there is a security vulnerability in libgit2 based on these bugs, but we are updating to be cautious. + +All users of the v1.4 release line are recommended to upgrade. + v1.4.3 ------ |