Makefile: Upgrade libgit2 to v1.5.0 (!4912) · Merge requests · GitLab.org / gitaly

Patrick Steinhardt requested to merge pks-libgit2-v1.5.0 into master Oct 06, 2022

Upstream has released libgit2 v1.5.0 on July 14th already, but so far we had been blocked from upgrading as Git2go didn't yet support it. This has now changed with the release of Git2go v34, so let's upgrade both so that we run with the latest version.

Notable upstream changes include:

- Initial work on support for SHA256 as object hash.

- Fixes for CVE 2022-24765 and CVE 2022-29187, which could lead to
  arbitrary code execution in repositories not owned by the current
  user. libgit2 was not directly impacted, but the fixes now align
  behaviour with Git and thus refuses to open repositories owned by
  a different user.

- Several fixes for MIDX files, which might be beneficial with our
  plans to start using them.

- The rename-detection limit for merges was bumped from 200 to 1000
  files to match Git's behaviour.

There are many other changes, but due to our limited use of libgit2 most of them aren't relevant to us.

Makefile: Upgrade libgit2 to v1.5.0

Merge request reports