Fixes
-
UploadPack: Filter refs used for deepen-not resolution
-
UploadPack: Avoid calling AdvertiseRefsHook twice
-
UploadPack: Filter refs used for want-ref resolution to ensure any refs the client requests are visible to the client.
-
UploadPack: Defer want-ref resolution to after parsing
-
[Security Fix] Call AdvertiseRefsHook to fix the following vulnerability. AdvertiseRefsHook is used to limit the visibility of refs in Gerrit. If this hook is not called, then all refs are treated as visible. In protocol v2, the hook was not called, causing the server to advertise all refs. Even before then, the hook was not called in requests after the capability advertisement, so in transports like HTTP that do not retain state between round-trips, the server would advertise all refs in response to an ls-refs (ls-remote) request. Fix both cases
-
BasePackConnection: Check for expected length of ref advertisement when using protocol v2
-
Update last JGit version used to generate API diff to last release
-
Update list of committers
-
Add new ssh bundles to scripts used to upload builds to Maven central
-
Update maven site reports