Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gix-transport 0.41.3 has issues #1328

Closed
Jake-Shadle opened this issue Mar 23, 2024 · 6 comments
Closed

gix-transport 0.41.3 has issues #1328

Jake-Shadle opened this issue Mar 23, 2024 · 6 comments

Comments

@Jake-Shadle
Copy link
Contributor

Jake-Shadle commented Mar 23, 2024
edited

Current behavior 😯

[ERROR] failed to fetch advisory database https://github.com/rustsec/advisory-db: An IO error occurred when talking to the server: error sending request for url (https://github.com/rustsec/advisory-db/info/refs?service=git-upload-pack): client error (Connect)

See EmbarkStudios/cargo-deny#641 for the error that is being seen. Basically, this caused by either gix-transport 0.41.3, or one of the HTTP libs it depends on that was also updated

    Updating gix-transport v0.41.2 -> v0.41.3
      Adding h2 v0.4.3
      Adding http v1.1.0
      Adding http-body v1.0.0
      Adding http-body-util v0.1.1
      Adding hyper v1.2.0
      Adding hyper-util v0.1.3
      Adding pin-project v1.1.5
      Adding pin-project-internal v1.1.5
      Adding reqwest v0.12.1
      Adding tower v0.4.13
      Adding tower-layer v0.3.2

If I downgrade to gix-transport 0.41.2, which also downgrades various HTTP libs, cargo-deny works as intended.

Expected behavior 🤔

The requests succeed as they do with 0.41.2.

Git behavior

No response

Steps to reproduce 🕹

  1. cargo install --version 0.14.19 cargo-deny
  2. cargo deny check advisories in a directory with a Cargo.toml
Byron added a commit that referenced this issue Mar 23, 2024
@Byron
fix!: declare reqwest dependency update as breaking (#1328)
e304369 
Related to #1327 .
@Byron
Copy link
Owner

Byron commented Mar 23, 2024
edited

Thanks for reporting! This change was introduced as non-breaking in #1327, but it was only non-breaking if gix was also using the latest version of reqwest. Otherwise, I could locally observe connection issues when trying any HTTPS request.

When installing cargo-deny as specified, I noticed that it uses gix-transport v0.41.3, but not the latest released gix v0.61.1, but gix v0.61.0.

Looking into this, I also discovered that gix v0.60 would also be able to pull in gix-transport v0.41.3, and probably suffer from the same issues.

To fix this, I yanked gix v0.61.1 and gix-transport v0.41.3, and could validate that the steps to reproduce listed here don't reproduce the issue anymore.
Further, I created a commit which now marks this as breaking change, which will cause breaking releases down the dependency chain automatically, including gix, so I can't accidentally publish such a combination again.

  • CC @obi1kenobi, even though this breakage is really special as I detected it locally, but only at runtime. You might be interested in it as an issue 'on the fringes of detectability' though.
  • CC @NobodyXu who originally asked for a release of this seemingly non-breaking update, and who know would have to wait for gix v0.62 to be released next month (there has been a lot of release-churn lately). Thanks for your understanding.

@Byron
Copy link
Owner

Byron commented Mar 23, 2024

I believe the issue is resolved, but I will leave it to @Jake-Shadle to double-check and close.

@amousset
Copy link

This indeed works for cargo-audit and cargo-deny@0.14.19 in my tests, thanks for the quick fix!

This was referenced Mar 23, 2024
Closed
Closed
@Byron Byron closed this as completed Mar 23, 2024
@amousset amousset mentioned this issue Mar 23, 2024
Closed
@NobodyXu
Copy link
Contributor

Thanks for informing me of this, I'm totally ok with this.

I have a question though, is it not possible to move reqwest (and possibly curl) completely to gix-transport?

It sounds strange that it is pulled in gix-transport then gix.

Is it just for the features?

If so maybe it's a good idea to declare the features in gix-transport then re-export to gix?

@Byron
Copy link
Owner

Byron commented Mar 23, 2024

Indeed, gix only has the reqwest dependency for the purpose of configuring its features. And in this particular case where there is a breaking change in reqwest (or curl) and the crate itself is 'made' in a certain way, we may see this effect. It feels like circumstance-meets-circumstance-meets-circumstance, and all are quite unlikely, but when they line up, it's game over 😅.

It's actually a great idea to simply forward the features in gix-transport, for reqwest and curl for good measure, in order to prevent this from ever happening again.

Feature-forwarding was always what I tried to avoid as it doesn't scale well at all, but here I don't think it would make a big difference and, given the danger that was uncovered now, it must be fixed.

@NobodyXu , would you mind creating a quick PR for reqwest? I would probably add curl forwarding myself then - that way I definitely won't forget.

@NobodyXu
Copy link
Contributor

Created #1329

Byron added a commit to NobodyXu/gitoxide that referenced this issue Mar 24, 2024
@Byron
fix: forward curl rustls feature from gix-transport to avoid `cur…
98cfbec 
…l` in `gix`. (Byron#1328)

This removes the `curl` dependency just for configuring it, and removes
a hazard which became evident with reqwest.
@mandx mandx mentioned this issue Mar 24, 2024
Closed
github-merge-queue bot pushed a commit to knope-dev/knope that referenced this issue Apr 13, 2024
@renovate
chore(deps): update rust crate gix to 0.62.0 (#1001)
37e7f3c 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [gix](https://togithub.com/Byron/gitoxide) | dependencies | minor |
`0.61.0` -> `0.62.0` |

---

### Release Notes

<details>
<summary>Byron/gitoxide (gix)</summary>

###
[`v0.62.0`](https://togithub.com/Byron/gitoxide/releases/tag/gix-v0.62.0):
gix v0.62

[Compare
Source](https://togithub.com/Byron/gitoxide/compare/gix-v0.61.1...gix-v0.62.0)

Please note that this release contains a security fix originally
implemented in `gix-transport` via [this
PR](https://togithub.com/Byron/gitoxide/pull/1342) which prevents `ssh`
options to be smuggled into the `ssh` command-line invocation with a
username provided to a clone or fetch URL.

Details can be found [in the
advisory](https://togithub.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh).

##### Bug Fixes

- `into_index_worktree_iter()` now takes an iterator, instead of a Vec.
    This makes the API more consistent, and one can pass `None`
    as well.
-   show submodules in status independently of their active state.
    Even inactive submodules are shown in the status by `git status`,
    so `gix` should do the same.

First observed in
[helix-editor/helix#5645 (comment)
- forward `curl` rustls feature from `gix-transport` to avoid `curl` in
`gix`.
This removes the `curl` dependency just for configuring it, and removes
    a hazard which became evident with reqwest.

##### Bug Fixes (BREAKING)

- Make `topo` more similar to `Ancestors`, but also rename `Ancestors`
to `Simple`

##### Commit Statistics

- 16 commits contributed to the release over the course of 20 calendar
days.
-   22 days passed between releases.
- 4 commits were understood as
[conventional](https://www.conventionalcommits.org/).
- 1 unique issue was worked on:
[Byron/gitoxide#1328

##### Thanks Clippy

[Clippy](https://togithub.com/rust-lang/rust-clippy) helped 1 time to
make code idiomatic.

##### Commit Details

-
**[Byron/gitoxide#1328
- Forward `curl` rustls feature from `gix-transport` to avoid `curl` in
`gix`.
(Byron/gitoxide@98cfbec)
-   **Uncategorized**
- Prepare changelogs prior to release
(Byron/gitoxide@5755271)
- Merge pull request
[Byron/gitoxide#1341
from szepeviktor/typos
(Byron/gitoxide@55f379b)
- Fix typos
(Byron/gitoxide@f72ecce)
- Merge branch 'add-topo-walk'
(Byron/gitoxide@b590a9d)
- Adapt to changes in `gix-traverse`
(Byron/gitoxide@1cfeb11)
- Make `topo` more similar to `Ancestors`, but also rename `Ancestors`
to `Simple`
(Byron/gitoxide@2a9c178)
- Adapt to changes in `gix-traverse`
(Byron/gitoxide@6154bf3)
- Thanks clippy
(Byron/gitoxide@7f6bee5)
- Merge branch 'status'
(Byron/gitoxide@45edd2e)
- `into_index_worktree_iter()` now takes an iterator, instead of a Vec.
(Byron/gitoxide@18b2921)
- Show submodules in status independently of their active state.
(Byron/gitoxide@719ced8)
- Make it easier to discover `is_path_excluded()` in documentation
(Byron/gitoxide@c136329)
- Adapt to changes in `gix-index`
(Byron/gitoxide@1e1fce1)
- Merge branch 'patch-1'
(Byron/gitoxide@9e9c653)
- Remove dep reqwest from gix
(Byron/gitoxide@e3eedd8)

###
[`v0.61.1`](https://togithub.com/Byron/gitoxide/releases/tag/gix-v0.61.1):
gix v0.61.1

[Compare
Source](https://togithub.com/Byron/gitoxide/compare/gix-v0.61.0...gix-v0.61.1)

This release also updates `reqwest` to v0.12, bringing hyper 1.0 and a
more recent `rustls` version.

##### Bug Fixes

-   missing closing backtick in gix lib documentation

##### Commit Statistics

- 7 commits contributed to the release over the course of 2 calendar
days.
-   3 days passed between releases.
- 1 commit was understood as
[conventional](https://www.conventionalcommits.org).
-   0 issues like '(#ID)' were seen in commit messages

##### Commit Details

<csr-read-only-do-not-edit/>

<details><summary>view details</summary>

-   **Uncategorized**
- Prepare changelogs prior to release
([`7018a92`](https://togithub.com/Byron/gitoxide/commit/7018a92))
- Merge branch 'patch-1'
([`8fde62b`](https://togithub.com/Byron/gitoxide/commit/8fde62b))
- Turn`curl` into a workspace package
([`adee500`](https://togithub.com/Byron/gitoxide/commit/adee500))
- Make reqwest a workspace package
([`369cf1b`](https://togithub.com/Byron/gitoxide/commit/369cf1b))
- Merge pull request
[#&#8203;1325](https://togithub.com/Byron/gitoxide/issues/1325) from
kdelorey/fix/simple-docs-formatting
([`3b34699`](https://togithub.com/Byron/gitoxide/commit/3b34699))
- Fixed opening of backtick in documentation.
([`f1bc4cd`](https://togithub.com/Byron/gitoxide/commit/f1bc4cd))
- Missing closing backtick in gix lib documentation
([`e1fec3c`](https://togithub.com/Byron/gitoxide/commit/e1fec3c))

</details>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/knope-dev/knope).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yNjkuMiIsInVwZGF0ZWRJblZlciI6IjM3LjI2OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
LeoniePhiline added a commit to LeoniePhiline/quote-of-the-week that referenced this issue Apr 13, 2024
@LeoniePhiline
fix(deps): update rust crate gix to 0.62.0 (#24)
ee098bc 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [gix](https://togithub.com/Byron/gitoxide) | dependencies | minor |
`0.61.0` -> `0.62.0` |

---

### Release Notes

<details>
<summary>Byron/gitoxide (gix)</summary>

###
[`v0.62.0`](https://togithub.com/Byron/gitoxide/releases/tag/gix-v0.62.0):
gix v0.62

[Compare
Source](https://togithub.com/Byron/gitoxide/compare/gix-v0.61.1...gix-v0.62.0)

Please note that this release contains a security fix originally
implemented in `gix-transport` via [this
PR](https://togithub.com/Byron/gitoxide/pull/1342) which prevents `ssh`
options to be smuggled into the `ssh` command-line invocation with a
username provided to a clone or fetch URL.

Details can be found [in the
advisory](https://togithub.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh).

##### Bug Fixes

- `into_index_worktree_iter()` now takes an iterator, instead of a Vec.
    This makes the API more consistent, and one can pass `None`
    as well.
-   show submodules in status independently of their active state.
    Even inactive submodules are shown in the status by `git status`,
    so `gix` should do the same.

First observed in
[helix-editor/helix#5645 (comment)
- forward `curl` rustls feature from `gix-transport` to avoid `curl` in
`gix`.
This removes the `curl` dependency just for configuring it, and removes
    a hazard which became evident with reqwest.

##### Bug Fixes (BREAKING)

- Make `topo` more similar to `Ancestors`, but also rename `Ancestors`
to `Simple`

##### Commit Statistics

- 16 commits contributed to the release over the course of 20 calendar
days.
-   22 days passed between releases.
- 4 commits were understood as
[conventional](https://www.conventionalcommits.org/).
- 1 unique issue was worked on:
[Byron/gitoxide#1328

##### Thanks Clippy

[Clippy](https://togithub.com/rust-lang/rust-clippy) helped 1 time to
make code idiomatic.

##### Commit Details

-
**[Byron/gitoxide#1328
- Forward `curl` rustls feature from `gix-transport` to avoid `curl` in
`gix`.
(Byron/gitoxide@98cfbec)
-   **Uncategorized**
- Prepare changelogs prior to release
(Byron/gitoxide@5755271)
- Merge pull request
[Byron/gitoxide#1341
from szepeviktor/typos
(Byron/gitoxide@55f379b)
- Fix typos
(Byron/gitoxide@f72ecce)
- Merge branch 'add-topo-walk'
(Byron/gitoxide@b590a9d)
- Adapt to changes in `gix-traverse`
(Byron/gitoxide@1cfeb11)
- Make `topo` more similar to `Ancestors`, but also rename `Ancestors`
to `Simple`
(Byron/gitoxide@2a9c178)
- Adapt to changes in `gix-traverse`
(Byron/gitoxide@6154bf3)
- Thanks clippy
(Byron/gitoxide@7f6bee5)
- Merge branch 'status'
(Byron/gitoxide@45edd2e)
- `into_index_worktree_iter()` now takes an iterator, instead of a Vec.
(Byron/gitoxide@18b2921)
- Show submodules in status independently of their active state.
(Byron/gitoxide@719ced8)
- Make it easier to discover `is_path_excluded()` in documentation
(Byron/gitoxide@c136329)
- Adapt to changes in `gix-index`
(Byron/gitoxide@1e1fce1)
- Merge branch 'patch-1'
(Byron/gitoxide@9e9c653)
- Remove dep reqwest from gix
(Byron/gitoxide@e3eedd8)

###
[`v0.61.1`](https://togithub.com/Byron/gitoxide/releases/tag/gix-v0.61.1):
gix v0.61.1

[Compare
Source](https://togithub.com/Byron/gitoxide/compare/gix-v0.61.0...gix-v0.61.1)

This release also updates `reqwest` to v0.12, bringing hyper 1.0 and a
more recent `rustls` version.

##### Bug Fixes

-   missing closing backtick in gix lib documentation

##### Commit Statistics

- 7 commits contributed to the release over the course of 2 calendar
days.
-   3 days passed between releases.
- 1 commit was understood as
[conventional](https://www.conventionalcommits.org).
-   0 issues like '(#ID)' were seen in commit messages

##### Commit Details

<csr-read-only-do-not-edit/>

<details><summary>view details</summary>

-   **Uncategorized**
- Prepare changelogs prior to release
([`7018a92`](https://togithub.com/Byron/gitoxide/commit/7018a92))
- Merge branch 'patch-1'
([`8fde62b`](https://togithub.com/Byron/gitoxide/commit/8fde62b))
- Turn`curl` into a workspace package
([`adee500`](https://togithub.com/Byron/gitoxide/commit/adee500))
- Make reqwest a workspace package
([`369cf1b`](https://togithub.com/Byron/gitoxide/commit/369cf1b))
- Merge pull request
[#&#8203;1325](https://togithub.com/Byron/gitoxide/issues/1325) from
kdelorey/fix/simple-docs-formatting
([`3b34699`](https://togithub.com/Byron/gitoxide/commit/3b34699))
- Fixed opening of backtick in documentation.
([`f1bc4cd`](https://togithub.com/Byron/gitoxide/commit/f1bc4cd))
- Missing closing backtick in gix lib documentation
([`e1fec3c`](https://togithub.com/Byron/gitoxide/commit/e1fec3c))

</details>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/LeoniePhiline/quote-of-the-week).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yNjkuMiIsInVwZGF0ZWRJblZlciI6IjM3LjI2OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
bors added a commit to rust-lang/cargo that referenced this issue Apr 16, 2024
@bors
Auto merge of #13760 - rust-lang:renovate/crate-gix-vulnerability, r=…
add150c 
…epage

chore(deps): update rust crate gix to 0.62.0 [security]

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [gix](https://togithub.com/Byron/gitoxide) | workspace.dependencies | minor | `0.61.0` -> `0.62.0` |

### GitHub Vulnerability Alerts

#### [GHSA-98p4-xjmm-8mfh](https://togithub.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh)

### Summary

`gix-transport` does not check the username part of a URL for text that the external `ssh` program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs.

### Details

This is related to the patched vulnerability GHSA-rrjw-j4m2-mf34, but appears less severe due to a greater attack complexity. Since [Byron/gitoxide#1032, `gix-transport` checks the host and path portions of a URL for text that has a `-` in a position that will cause `ssh` to interpret part of all of the URL as an option argument. But it does not check the non-mandatory username portion of the URL.

As in Git, when an address is a URL of the form `ssh://username@hostname/path`, or when it takes the special form `username@hostname:dirs/repo`, this is treated as an SSH URL. `gix-transport` will replace some characters in `username` with their `%`-based URL encodings, but otherwise passes `username@hostname` as an argument to the external `ssh` command. This happens even if `username` begins with a hyphen. In that case, `ssh` treats that argument as an option argument, and attempts to interpret and honor it as a sequence of one or more options possibly followed by an operand for the last option.

This is harder to exploit than GHSA-rrjw-j4m2-mf34, because the possibilities are constrained by:

- The difficulty of forming an option argument `ssh` accepts, given that characters such as `=`, `/`, and `\`, are URL-encoded, `:` is removed, and the argument passed to `ssh` contains the ``@`` sign and subsequent host identifier, which in an effective attack must be parseable as a suffix of the operand passed to the last option.

  The inability to include a literal `=` prevents the use of `-oNAME=VALUE` (e.g., `-oProxyCommand=payload`). The inability to include a literal `/` or `\` prevents smuggling in a path operand residing outside the current working directory, incuding on Windows. (Although a `~` character may be smuggled in, `ssh` does not perform its own tilde expansion, so it does not form an absolute path.)

- The difficulty, or perhaps impossibility, of completing a connection (other than when arbitrary code execution has been achieved). This complicates or altogether prevents the use of options such as `-A` and `-X` together with a connection to a real but malicious server. The reason a connection cannot generally be completed when exploiting this vulnerability is that, because the argument `gix-transport` intends as a URL is treated as an option argument, `ssh` treats the subsequent non-option argument `git-upload-pack` as the host instead of the command, but it is not a valid host name.

  Although `ssh` supports aliases for hosts, even if `git-upload-pack` could be made an alias, that is made difficult by the URL-encoding transformation.

However, an attacker who is able to cause a specially named `ssh` configuration file to be placed in the current working directory can smuggle in an `-F` option referencing the file, and this allows arbitrary command execution.

This scenario is especially plausible because programs that operate on git repositories are often run in untrusted git repositories, sometimes even to operate on another repository. Situations where this is likely, such that an attacker could predict or arrange it, may for some applications include a malicious repository with a malicious submodule configuration.

Other avenues of exploitation exist, but appear to be less severe. For example, the `-E` option can be smuggled to create or append to a file in the current directory (or its target, if it is a symlink). There may also be other significant ways to exploit this that have not yet been discovered, or that would arise with new options in future versions of `ssh`.

### PoC

To reproduce the known case that facilitates arbitrary code execution, first create a file in the current directory named `configfile@example.com`, of the form

```text
ProxyCommand payload
```

where `payload` is a command with an observable side effect. On Unix-like systems, this could be `date | tee vulnerable` or an `xdg-open`, `open`, or other command command to launch a graphical application. On Windows, this could be the name of a graphical application already in the search path, such as `calc.exe`.

(Although the syntax permitted in the value of `ProxyCommand` may vary by platform, this is not limited to running commands in the current directory. That limitation only applies to paths directly smuggled in the username, not to the contents of a separate malicious configuration file. Arbitrary other settings may be specified in `configfile@example.com` as well.)

Then run:

```sh
gix clone 'ssh://-Fconfigfile@example.com/abc'
```

Or:

```sh
gix clone -- '-Fconfigfile@example.com:abc/def'
```

(The `--` is required to ensure that `gix` is really passing the argument as a URL for use in `gix-transport`, rather than interpreting it as an option itself, which would not necessarily be a vulnerability.)

In either case, the payload specified in `configfile@example.com` runs, and its side effect can be observed.

Other cases may likewise be produced, in either of the above two forms of SSH addresses. For example, to create or append to the file `errors@example.com`, or to create or append to its target if it is a symlink:

```sh
gix clone 'ssh://-Eerrors@example.com/abc'
```

```sh
gix clone -- '-Eerrors@example.com:abc/def'
```

### Impact

As in GHSA-rrjw-j4m2-mf34, this would typically require user interaction to trigger an attempt to clone or otherwise connect using the malicious URL. Furthermore, known means of exploiting this vulnerability to execute arbitrary commands require further preparatory steps to establish a specially named file in the current directory. The impact is therefore expected to be lesser, though it is difficult to predict it with certainty because it is not known exactly what scenarios will arise when using the `gix-transport` library.

Users who use applications that make use of `gix-transport` are potentially vulnerable, especially:

- On repositories with submodules that are automatically added, depending how the application manages submodules.
- When operating on other repositories from inside an untrusted repository.
- When reviewing contributions from untrusted developers by checking out a branch from an untrusted fork and performing clones from that location.

---

### Release Notes

<details>
<summary>Byron/gitoxide (gix)</summary>

### [`v0.62.0`](https://togithub.com/Byron/gitoxide/releases/tag/gix-v0.62.0): gix v0.62

[Compare Source](https://togithub.com/Byron/gitoxide/compare/gix-v0.61.1...gix-v0.62.0)

Please note that this release contains a security fix originally implemented in `gix-transport` via [this PR](https://togithub.com/Byron/gitoxide/pull/1342) which prevents `ssh` options to be smuggled into the `ssh` command-line invocation with a username provided to a clone or fetch URL.

Details can be found [in the advisory](https://togithub.com/Byron/gitoxide/security/advisories/GHSA-98p4-xjmm-8mfh).

##### Bug Fixes

-   `into_index_worktree_iter()` now takes an iterator, instead of a Vec.
    This makes the API more consistent, and one can pass `None`
    as well.
-   show submodules in status independently of their active state.
    Even inactive submodules are shown in the status by `git status`,
    so `gix` should do the same.

    First observed in [helix-editor/helix#5645 (comment)
-   forward `curl` rustls feature from `gix-transport` to avoid `curl` in `gix`.
    This removes the `curl` dependency just for configuring it, and removes
    a hazard which became evident with reqwest.

##### Bug Fixes (BREAKING)

-   Make `topo` more similar to `Ancestors`, but also rename `Ancestors` to `Simple`

##### Commit Statistics

-   16 commits contributed to the release over the course of 20 calendar days.
-   22 days passed between releases.
-   4 commits were understood as [conventional](https://www.conventionalcommits.org/).
-   1 unique issue was worked on: [Byron/gitoxide#1328

##### Thanks Clippy

[Clippy](https://togithub.com/rust-lang/rust-clippy) helped 1 time to make code idiomatic.

##### Commit Details

-   **[Byron/gitoxide#1328
    -   Forward `curl` rustls feature from `gix-transport` to avoid `curl` in `gix`. (Byron/gitoxide@98cfbec)
-   **Uncategorized**
    -   Prepare changelogs prior to release (Byron/gitoxide@5755271)
    -   Merge pull request [Byron/gitoxide#1341 from szepeviktor/typos (Byron/gitoxide@55f379b)
    -   Fix typos (Byron/gitoxide@f72ecce)
    -   Merge branch 'add-topo-walk' (Byron/gitoxide@b590a9d)
    -   Adapt to changes in `gix-traverse` (Byron/gitoxide@1cfeb11)
    -   Make `topo` more similar to `Ancestors`, but also rename `Ancestors` to `Simple` (Byron/gitoxide@2a9c178)
    -   Adapt to changes in `gix-traverse` (Byron/gitoxide@6154bf3)
    -   Thanks clippy (Byron/gitoxide@7f6bee5)
    -   Merge branch 'status' (Byron/gitoxide@45edd2e)
    -   `into_index_worktree_iter()` now takes an iterator, instead of a Vec. (Byron/gitoxide@18b2921)
    -   Show submodules in status independently of their active state. (Byron/gitoxide@719ced8)
    -   Make it easier to discover `is_path_excluded()` in documentation (Byron/gitoxide@c136329)
    -   Adapt to changes in `gix-index` (Byron/gitoxide@1e1fce1)
    -   Merge branch 'patch-1' (Byron/gitoxide@9e9c653)
    -   Remove dep reqwest from gix (Byron/gitoxide@e3eedd8)

### [`v0.61.1`](https://togithub.com/Byron/gitoxide/releases/tag/gix-v0.61.1): gix v0.61.1

[Compare Source](https://togithub.com/Byron/gitoxide/compare/gix-v0.61.0...gix-v0.61.1)

This release also updates `reqwest` to v0.12, bringing hyper 1.0 and a more recent `rustls` version.

##### Bug Fixes

-   missing closing backtick in gix lib documentation

##### Commit Statistics

-   7 commits contributed to the release over the course of 2 calendar days.
-   3 days passed between releases.
-   1 commit was understood as [conventional](https://www.conventionalcommits.org).
-   0 issues like '(#ID)' were seen in commit messages

##### Commit Details

<csr-read-only-do-not-edit/>

<details><summary>view details</summary>

-   **Uncategorized**
    -   Prepare changelogs prior to release ([`7018a92`](https://togithub.com/Byron/gitoxide/commit/7018a92))
    -   Merge branch 'patch-1' ([`8fde62b`](https://togithub.com/Byron/gitoxide/commit/8fde62b))
    -   Turn`curl` into a workspace package ([`adee500`](https://togithub.com/Byron/gitoxide/commit/adee500))
    -   Make reqwest a workspace package ([`369cf1b`](https://togithub.com/Byron/gitoxide/commit/369cf1b))
    -   Merge pull request [#&#8203;1325](https://togithub.com/Byron/gitoxide/issues/1325) from kdelorey/fix/simple-docs-formatting ([`3b34699`](https://togithub.com/Byron/gitoxide/commit/3b34699))
    -   Fixed opening of backtick in documentation. ([`f1bc4cd`](https://togithub.com/Byron/gitoxide/commit/f1bc4cd))
    -   Missing closing backtick in gix lib documentation ([`e1fec3c`](https://togithub.com/Byron/gitoxide/commit/e1fec3c))

</details>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/rust-lang/cargo).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yOTMuMCIsInVwZGF0ZWRJblZlciI6IjM3LjI5My4wIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Byron @amousset @Jake-Shadle @NobodyXu