Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 15 Nov 2012 01:48:29 +0100
From: "Jason A. Donenfeld" <>
To: oss-security <>
Subject: Fwd: [ANNOUNCE] CGIT v0.9.1 Released

Hi guys,

Just emailing to let you know that CVE-2012-4465 and CVE-2012-4548
have been fixed with the latest release of cgit.


---------- Forwarded message ----------
From: Jason A. Donenfeld <>
Date: Thu, Nov 15, 2012 at 1:46 AM
Subject: [ANNOUNCE] CGIT v0.9.1 Released

Hi everyone,

It is with pleasure that I announce the first release of cgit in
months, version 0.9.1. This last release cycle has been a long one due
to the disappearance of the former maintainer, Lars Hjemli, but rest
assured, cgit is healthy and well, and I've been very pleased with the
activity and excitement on this list.

Without further ado, here's the changelog for the latest release:

== ChangeLog v0.9.1 ==

- path-selected submodule links
- intelligent default branch guessing
- /etc/mime.types lookup
- gitweb.* and cgit.* git-config support
- case insensitive sorting and age sorting
- commit, repository, and section sorting
- bold currently viewed page in pagination
- support BSDs in makefile

- CVE-2012-4465: heap-buffer overflow in parsing.c
- CVE-2012-4548: syntax highlighting command injection

Bug Fixes:
- transition maintainer to Jason Donenfeld (zx2c4)
- download git snapshot from github instead of Lars' old server
- css fixes
- stablization of tests
- more compatible default highlight script
- suppress gzip timestamp so that tarballs only use tar timestamps
- treat ctags as target in makefile
- do not let global variables override certain local repo settings
- print ampersand as proper html entity
- use placeholder for empty commit subject
- format diff view for addition and removal of files
- point links at correct blob from ssdiff

== Downloading ==

The home of cgit is now here:

The repository can be cloned by:
$ git clone

A tarball of v0.9.1 is here:
 sha1 - faca1c822b035cd7fa5eda741f994255fde6608b
If xz is no good for your distribution, a tar.gz and a tar.bz2 are
available by tinkering with the URL.

For verification, I've gpg signed the tag "v0.9.1" which you can
verify by cloning the repo. My public key is 0xA5DE03AE:

== Moving Forward ==

For the next release cycle, there are a few things I look forward to seeing:
- ssdiff tabulation fixes
- authorization helper integration
- fixing memory leaks
- source file grepping

Thanks so much to everyone who contributed with great patches and enhancements.

Jason Donenfeld

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.