[AUTO-CHERRYPICK] Upgrade libgit2 to Version 1.6.5 to address CVE-2024-24575 - branch main (#8092)

Co-authored-by: Sam Meluch <109628994+sameluch@users.noreply.github.com>

Author: CBL-Mariner-Bot

SPECS-EXTENDED/libgit2-glib/libgit2-glib.spec

@@ -5,7 +5,7 @@ Distribution:   Mariner
 
 Name:           libgit2-glib
 Version:        0.99.0.1
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        Git library for GLib
 
 License:        LGPLv2+
@@ -70,6 +70,9 @@ developing applications that use %{name}.
 %{_datadir}/vala/
 
 %changelog
+* Wed Feb 21 2024 Sam Meluch <sammeluch@microsoft.com> - 0.99.0.1-6
+- Dash roll to rebuild with new libgit2
+
 * Mon Mar 21 2022 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.99.0.1-5
 - Adding BR on '%%{_bindir}/xsltproc'.
 - Disabled gtk doc generation to remove network dependency during build-time.

SPECS/libgit2/libgit2.signatures.json

@@ -1,5 +1,5 @@
 {
   "Signatures": {
-    "libgit2-1.4.5.tar.gz": "8487bdda44bb43141d6798f71cab0d071a33fe75aa02a5a31c66ae8f4c9c5adb"
+    "libgit2-1.6.5.tar.gz": "0f09dd49e409913c94df00eeb5b54f8b597905071b454c7f614f8c6e1ddb8d75"
   }
 }

SPECS/libgit2/libgit2.spec

@@ -1,7 +1,7 @@
 Summary:        C implementation of the Git core methods as a library with a solid API
 Name:           libgit2
-Version:        1.4.5
-Release:        3%{?dist}
+Version:        1.6.5
+Release:        1%{?dist}
 License:        GPLv2 with exceptions
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -66,7 +66,8 @@ rm -vr deps
 
 %files
 %license COPYING
-%{_libdir}/libgit2.so.*
+%{_libdir}/libgit2.so.1.6*
+%{_bindir}/git2
 
 %files devel
 %doc AUTHORS docs examples README.md
@@ -76,6 +77,9 @@ rm -vr deps
 %{_includedir}/git2/
 
 %changelog
+* Wed Feb 21 2024 Sam Meluch <sammeluch@microsoft.com> - 1.6.5-1
+- Upgrade to version 1.6.5 to fix CVE-2024-24575
+
 * Wed Jan 17 2024 Harshit Gupta <guptaharshit@microsoft.com> - 1.4.5-3
 - Release bump with no changes to force a rebuild and consume new libssh2 build
 

SPECS/rust/rust.spec

@@ -9,7 +9,7 @@
 Summary:        Rust Programming Language
 Name:           rust
 Version:        1.72.0
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        (ASL 2.0 OR MIT) AND BSD AND CC-BY-3.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -168,6 +168,9 @@ rm %{buildroot}%{_bindir}/*.old
 %{_mandir}/man1/*
 
 %changelog
+* Wed Feb 21 2024 Sam Meluch <sammeluch@microsoft.com> - 1.72.0-6
+- Dash roll package to rebuild with new libgit2
+
 * Mon Oct 30 2023 Rohit Rawat <rohitrawat@microsoft.com> - 1.72.0-5
 - Patch CVE-2023-45853 in vendor/libz-sys/src/zlib
 

cgmanifest.json

@@ -9441,8 +9441,8 @@
         "type": "other",
         "other": {
           "name": "libgit2",
-          "version": "1.4.5",
-          "downloadUrl": "https://github.com/libgit2/libgit2/archive/v1.4.5/libgit2-1.4.5.tar.gz"
+          "version": "1.6.5",
+          "downloadUrl": "https://github.com/libgit2/libgit2/archive/v1.6.5/libgit2-1.6.5.tar.gz"
         }
       }
     },