* Sun Aug 05 2018 jengelh@inai.de
- Update to new upstream release 1.2.1
* fixes CVE-2018-14912 directory traversal vulnerability
[boo#1103799]
* syntax-highlighting: replace invalid unicode with '?'
* ui-repolist: properly sort by age
* ui-patch: fix crash when using path limit
- Remove cgit-built-with-git-v2.11.0.patch (merged upstream)
* Sat Feb 11 2017 jengelh@inai.de
- Update bundled git to 2.11.1
* Thu Jan 19 2017 vsvecova@suse.com
- Version bump to v1.1:
* For more information see complete changelog at
https://git.zx2c4.com/cgit/log/
- Add cgit-built-with-git-v2.11.0.patch
* Thu Jan 05 2017 vcizek@suse.com
- remove redundant gnu-crypto BuildRequires
* Mon Jun 13 2016 astieger@suse.com
- cgit 1.0:
* Add repo.homepage/gitweb.homepage setting and homepage tab.
* Considerable internal cleanups.
* Show reverse paths in title bar so that browser tab shows
filename.
* Add syntax highlighting to md2html.
* Allow redirects even when caching is turned on.
* Fix empty PATH_INFO on redirect.
* Better HTML5 compliance.
* Simplified decorations.
* Show repo's root directory in plain view.
* Date printing and timezone normalization.
* Unicode issues in syntax highlighting.
* Account for caches with empty key.
* Use size_t for all lengths.
* More gracefully deal with unparsable commits.
- with git 2.8.3
- the following patches are now included upstream git 2.8.3:
0012-http-push-stop-using-name_path.patch
0013-show_object_with_name-simplify-by-using-path_name.patch
0014-list-objects-convert-name_path-to-a-strbuf.patch
0015-list-objects-drop-name_path-entirely.patch
0016-list-objects-pass-full-pathname-to-callbacks.patch
* Wed Mar 16 2016 tiwai@suse.de
- Fix remote code execution via buffer overflow (CVE-2016-2315,
CVE-2016-2324, bsc#971328):
0012-http-push-stop-using-name_path.patch
0013-show_object_with_name-simplify-by-using-path_name.patch
0014-list-objects-convert-name_path-to-a-strbuf.patch
0015-list-objects-drop-name_path-entirely.patch
0016-list-objects-pass-full-pathname-to-callbacks.patch
* Thu Jan 14 2016 jengelh@inai.de
- Update to new upstream release 0.12
* Show remote refs in branch switcher combobox.
* Add sample post-receive hook in /contrib.
* Add HTML escaping to filters.
* Add "enable-follow-links" option to have the log UI
behave the same way as "git log --follow", as well
as updating the diffand commit UIs.
* Errors are now cached under the dynamic-ttl setting.
* Simplified filters and converters.
* Add "enable-html-serving" to turn on serving of HTML mimetypes
from the /plain handler, to prevent against stored XSS.
* /blob no longer takes a mimetype query string parameter.
- Resolve: Reflected Cross Site Scripting & Header Injection in
Mimetype Query String; Stored Cross Site Scripting & Header
Injection in Filename Parameter; Stored Cross Site Scripting in
Git Repo Files; Integer Overflow resulting in Buffer Overflow
[boo#961916 CVE-2016-1899 CVE-2016-1900 CVE-2016-1901]
- Update bundled git tarball to 2.7.0 (build-time requirement)
* Tue Oct 06 2015 jengelh@inai.de
- Update bundled git tarball to 2.6.1 [bnc#948969]
* Thu Sep 24 2015 jengelh@inai.de
- Update bundled git tarball to 2.5.3
* Tue Jun 09 2015 jengelh@inai.de
- Update bundled git tarball to 2.4.3
* Mon May 04 2015 jengelh@inai.de
- Update to new upstream release 0.11.2
* addition of a Lua scripting engine
* fine-grained authentication support through the new Lua
scripting system
* support for the "rawdiff" command was added
* sendfile() is now used when available (Linux systems) instead
of a loop of read() and write(). This should significantly
increase performance for high volume sites which make heavy use
of the caching feature, as it saves copies to and from
user-space.
* Caching granularity is now improved with the introduction of
the cache-snapshot-ttl option, which allows configuration of
the ttl for tarball and zip snapshots of repositories.
* When filtering in the index, make the sorting links point to
the same filtered page of results
* Take into account leading slashes when comptuing links
- Avoid double %setup (messes with quilt). Simplify filelist.
%doc for man is implicit.
- Drop cgit-git-1.7.6_build_fix.patch,
cgit-fix-print-tree.diff,
cgit-fix-more-read_tree_recursive-invocations.diff,
cgit-CVE-2013-2117-disallow-directory-traversal.patch
- Add signature for the git core tarball.
* Mon Nov 24 2014 guillaume@opensuse.org
- Fix css and logo path in cgitrc file (replace /git by /cgit)
* Mon Oct 06 2014 jengelh@inai.de
- Remove ancient specfile tags/sections
- Enable parallel build
* Fri Jul 05 2013 tiwai@suse.de
- Fix VUL-0: cgit: remote file disclosure flaw (CVE-2013-2117,
bnc#822166)
* Tue Nov 20 2012 vjt@openssl.it
- BuildRequire xz
* Tue Nov 20 2012 tiwai@suse.de
- updated to cgit-0.9.1:
Enhancements:
- path-selected submodule links
- intelligent default branch guessing
- /etc/mime.types lookup
- gitweb.* and cgit.* git-config support
- case insensitive sorting and age sorting
- commit, repository, and section sorting
- bold currently viewed page in pagination
- support BSDs in makefile
Security:
- CVE-2012-4465: heap-buffer overflow in parsing.c
- CVE-2012-4548: syntax highlighting command injection
Bug Fixes:
- transition maintainer to Jason Donenfeld (zx2c4)
- download git snapshot from github instead of Lars' old server
- css fixes
- stablization of tests
- more compatible default highlight script
- suppress gzip timestamp so that tarballs only use tar timestamps
- treat ctags as target in makefile
- do not let global variables override certain local repo settings
- print ampersand as proper html entity
- use placeholder for empty commit subject
- format diff view for addition and removal of files
- point links at correct blob from ssdiff
- drop obsoleted patches
cgit-CVE-2011-2711-fix.diff
cgit-CVE-2012-4465-fix.diff
cgit-CVE-2012-4548-fix.diff
* Mon Oct 29 2012 tiwai@suse.de
- cgit-CVE-2012-4548-fix.diff:
Fix VUL-0: cgit: arbitrary code / command execution via
improperly quoted arguments (CVE-2012-4548, bnc#787074)
* Wed Oct 10 2012 tiwai@suse.de
- Fix VUL-0: specially-crafted commits can trigger a heap-based
buffer overflow (CVE-2012-4465, bnc#783012)
* Mon Feb 13 2012 coolo@suse.com
- patch license to follow spdx.org standard
* Mon Nov 28 2011 zooey@hirschkaefer.de
- Add patch cgit-fix-more-read_tree_recursive-invocations.diff:
There are more incorrect invocations of read_tree_recursive(),
one example can be seen when visiting one of the 'plain' links
in the tree view (contents of the wrong file are shown).
This time I did what I should have done last time and checked
and adjusted all invocations of read_tree_recursive().