From list at eworm.de  Tue May 14 18:00:50 2024
From: list at eworm.de (Christian Hesse)
Date: Tue, 14 May 2024 20:00:50 +0200
Subject: [PATCH 1/1] git: update to v2.45.1
Message-ID: <20240514180050.23249-1-list@eworm.de>

From: Christian Hesse <mail at eworm.de>

Update to git version v2.45.1, no additional changes required.

Signed-off-by: Christian Hesse <mail at eworm.de>
---
 Makefile | 2 +-
 git      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index 2612a75..ecfebaf 100644
--- a/Makefile
+++ b/Makefile
@@ -14,7 +14,7 @@ htmldir = $(docdir)
 pdfdir = $(docdir)
 mandir = $(prefix)/share/man
 SHA1_HEADER = <openssl/sha.h>
-GIT_VER = 2.45.0
+GIT_VER = 2.45.1
 GIT_URL = https://www.kernel.org/pub/software/scm/git/git-$(GIT_VER).tar.xz
 INSTALL = install
 COPYTREE = cp -r
diff --git a/git b/git
index 786a3e4..2c7b491 160000
--- a/git
+++ b/git
@@ -1 +1 @@
-Subproject commit 786a3e4b8d754d2b14b1208b98eeb0a554ef19a8
+Subproject commit 2c7b491c1d3107be35c375f59e040b0f13d0cc0c
-- 
2.45.0


From konstantin at linuxfoundation.org  Thu May 23 12:57:33 2024
From: konstantin at linuxfoundation.org (Konstantin Ryabitsev)
Date: Thu, 23 May 2024 08:57:33 -0400
Subject: ls_cache should be disallowed by default
Message-ID: <20240523-vigilant-lionfish-of-performance-bcca0c@meerkat>

Hello:

I was surprised to find out that anyone can call ls_cache and view the
contents of the cache directory, including the full path to each cache file.
Since an attacker can also control the cache content, either via query
string parameters, or by pushing contents into a repository served by cgit,
this can aide someone in delivering a payload that can be executed via some
other vulnerability.

Can this functionality be disabled by default and only available if
cache-allow-ls (or something similar) is set in cgitrc?

-K