cgit-1.2.1-bp151.3.1

- Update to new upstream release 1.2.1
  * fixes CVE-2018-14912 directory traversal vulnerability
    [boo#1103799]
  * syntax-highlighting: replace invalid unicode with '?'
  * ui-repolist: properly sort by age
  * ui-patch: fix crash when using path limit
- Remove cgit-built-with-git-v2.11.0.patch (merged upstream)

- Update bundled git to 2.11.1

- Version bump to v1.1:
  * For more information see complete changelog at
    https://git.zx2c4.com/cgit/log/
- Add cgit-built-with-git-v2.11.0.patch

- remove redundant gnu-crypto BuildRequires

- cgit 1.0:
  * Add repo.homepage/gitweb.homepage setting and homepage tab.
  * Considerable internal cleanups.
  * Show reverse paths in title bar so that browser tab shows
    filename.
  * Add syntax highlighting to md2html.
  * Allow redirects even when caching is turned on.
  * Fix empty PATH_INFO on redirect.
  * Better HTML5 compliance.
  * Simplified decorations.
  * Show repo's root directory in plain view.
  * Date printing and timezone normalization.
  * Unicode issues in syntax highlighting.
  * Account for caches with empty key.
  * Use size_t for all lengths.
  * More gracefully deal with unparsable commits.
- with git 2.8.3
- the following patches are now included upstream git 2.8.3:
  0012-http-push-stop-using-name_path.patch
  0013-show_object_with_name-simplify-by-using-path_name.patch
  0014-list-objects-convert-name_path-to-a-strbuf.patch
  0015-list-objects-drop-name_path-entirely.patch
  0016-list-objects-pass-full-pathname-to-callbacks.patch

- Fix remote code execution via buffer overflow (CVE-2016-2315,
  CVE-2016-2324, bsc#971328):
  0012-http-push-stop-using-name_path.patch
  0013-show_object_with_name-simplify-by-using-path_name.patch
  0014-list-objects-convert-name_path-to-a-strbuf.patch
  0015-list-objects-drop-name_path-entirely.patch
  0016-list-objects-pass-full-pathname-to-callbacks.patch

- Update to new upstream release 0.12
  * Show remote refs in branch switcher combobox.
  * Add sample post-receive hook in /contrib.
  * Add HTML escaping to filters.
  * Add "enable-follow-links" option to have the log UI
  behave the same way as "git log --follow", as well
  as updating the diffand commit UIs.
  * Errors are now cached under the dynamic-ttl setting.
  * Simplified filters and converters.
  * Add "enable-html-serving" to turn on serving of HTML mimetypes
  from the /plain handler, to prevent against stored XSS.
  * /blob no longer takes a mimetype query string parameter.
- Resolve: Reflected Cross Site Scripting & Header Injection in
  Mimetype Query String; Stored Cross Site Scripting & Header
  Injection in Filename Parameter; Stored Cross Site Scripting in
  Git Repo Files; Integer Overflow resulting in Buffer Overflow
  [boo#961916 CVE-2016-1899 CVE-2016-1900 CVE-2016-1901]
- Update bundled git tarball to 2.7.0 (build-time requirement)

- Update bundled git tarball to 2.6.1 [bnc#948969]

- Update bundled git tarball to 2.5.3

- Update bundled git tarball to 2.4.3

- Update to new upstream release 0.11.2
  * addition of a Lua scripting engine
  * fine-grained authentication support through the new Lua
  scripting system
  * support for the "rawdiff" command was added
  * sendfile() is now used when available (Linux systems) instead
  of a loop of read() and write(). This should significantly
  increase performance for high volume sites which make heavy use
  of the caching feature, as it saves copies to and from
  user-space.
  * Caching granularity is now improved with the introduction of
  the cache-snapshot-ttl option, which allows configuration of
  the ttl for tarball and zip snapshots of repositories.
  * When filtering in the index, make the sorting links point to
  the same filtered page of results
  * Take into account leading slashes when comptuing links
- Avoid double %setup (messes with quilt). Simplify filelist.
  %doc for man is implicit.
- Drop cgit-git-1.7.6_build_fix.patch,
  cgit-fix-print-tree.diff,
  cgit-fix-more-read_tree_recursive-invocations.diff,
  cgit-CVE-2013-2117-disallow-directory-traversal.patch
- Add signature for the git core tarball.

- Fix css and logo path in cgitrc file (replace /git by /cgit)

- Remove ancient specfile tags/sections
- Enable parallel build

- Fix VUL-0: cgit: remote file disclosure flaw (CVE-2013-2117,
  bnc#822166)

- BuildRequire xz

- updated to cgit-0.9.1:
  Enhancements:
  - path-selected submodule links
  - intelligent default branch guessing
  - /etc/mime.types lookup
  - gitweb.* and cgit.* git-config support
  - case insensitive sorting and age sorting
  - commit, repository, and section sorting
  - bold currently viewed page in pagination
  - support BSDs in makefile
  Security:
  - CVE-2012-4465: heap-buffer overflow in parsing.c
  - CVE-2012-4548: syntax highlighting command injection
  Bug Fixes:
  - transition maintainer to Jason Donenfeld (zx2c4)
  - download git snapshot from github instead of Lars' old server
  - css fixes
  - stablization of tests
  - more compatible default highlight script
  - suppress gzip timestamp so that tarballs only use tar timestamps
  - treat ctags as target in makefile
  - do not let global variables override certain local repo settings
  - print ampersand as proper html entity
  - use placeholder for empty commit subject
  - format diff view for addition and removal of files
  - point links at correct blob from ssdiff
- drop obsoleted patches
  cgit-CVE-2011-2711-fix.diff
  cgit-CVE-2012-4465-fix.diff
  cgit-CVE-2012-4548-fix.diff

- cgit-CVE-2012-4548-fix.diff:
  Fix VUL-0: cgit: arbitrary code / command execution via
  improperly quoted arguments (CVE-2012-4548, bnc#787074)

- Fix VUL-0: specially-crafted commits can trigger a heap-based
  buffer overflow (CVE-2012-4465, bnc#783012)

- patch license to follow spdx.org standard

- Add patch cgit-fix-more-read_tree_recursive-invocations.diff:
    There are more incorrect invocations of read_tree_recursive(),
    one example can be seen when visiting one of the 'plain' links
    in the tree view (contents of the wrong file are shown).
    This time I did what I should have done last time and checked
    and adjusted all invocations of read_tree_recursive().