Merging debian version 1:2.45.2-1.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

11 files changed, 181 insertions, 824 deletions

diff --git a/debian/changelog b/debian/changelog
index 1c9a8d7..5e7a213 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+git (1:2.45.2-1) unstable; urgency=low
+
+  * new upstream point release (see RelNotes/2.45.2.txt).
+  * debian/patches/*: remove; applied upstream.
+
+ -- Jonathan Nieder <jrnieder@gmail.com>  Sun, 16 Jun 2024 15:40:09 +0000
+
 git (1:2.45.1-1~progress7.99u1) graograman-backports; urgency=medium
 
   * Uploading to graograman-backports, remaining changes:
diff --git a/debian/changelog.upstream b/debian/changelog.upstream
index 2342f06..d8b1659 100644
--- a/debian/changelog.upstream
+++ b/debian/changelog.upstream
@@ -1,3 +1,26 @@
+Version v2.45.2; changes since v2.45.1:
+---------------------------------------
+
+Jeff King (5):
+      send-email: drop FakeTerm hack
+      send-email: avoid creating more than one Term::ReadLine object
+      ci: drop mention of BREW_INSTALL_PACKAGES variable
+      ci: avoid bare "gcc" for osx-gcc job
+      ci: stop installing "gcc-13" for osx-gcc
+
+Johannes Schindelin (6):
+      hook: plug a new memory leak
+      init: use the correct path of the templates directory again
+      Revert "core.hooksPath: add some protection while cloning"
+      tests: verify that `clone -c core.hooksPath=/dev/null` works again
+      clone: drop the protections where hooks aren't run
+      Revert "Add a helper function to compare file contents"
+
+Junio C Hamano (2):
+      Revert "fsck: warn about symlink pointing inside a gitdir"
+      Git 2.39.5
+
+
 Version v2.45.1; changes since v2.45.0:
 ---------------------------------------
 
@@ -175,7 +198,7 @@ Yehezkel Bernat (1):
       t9604: Fix test for musl libc and new Debian
 
 
-Version v2.45.0-rc0; changes since v2.44.1:
+Version v2.45.0-rc0; changes since v2.44.2:
 -------------------------------------------
 
 Ahelenia Ziemiańska (1):
@@ -772,6 +795,29 @@ shejialuo (1):
       t9117: prefer test_path_* helper functions
 
 
+Version v2.44.2; changes since v2.44.1:
+---------------------------------------
+
+Jeff King (5):
+      send-email: drop FakeTerm hack
+      send-email: avoid creating more than one Term::ReadLine object
+      ci: drop mention of BREW_INSTALL_PACKAGES variable
+      ci: avoid bare "gcc" for osx-gcc job
+      ci: stop installing "gcc-13" for osx-gcc
+
+Johannes Schindelin (6):
+      hook: plug a new memory leak
+      init: use the correct path of the templates directory again
+      Revert "core.hooksPath: add some protection while cloning"
+      tests: verify that `clone -c core.hooksPath=/dev/null` works again
+      clone: drop the protections where hooks aren't run
+      Revert "Add a helper function to compare file contents"
+
+Junio C Hamano (2):
+      Revert "fsck: warn about symlink pointing inside a gitdir"
+      Git 2.39.5
+
+
 Version v2.44.1; changes since v2.44.0:
 ---------------------------------------
 
@@ -966,7 +1012,7 @@ Victoria Dye (1):
       ref-filter.c: sort formatted dates by byte value
 
 
-Version v2.44.0-rc0; changes since v2.43.4:
+Version v2.44.0-rc0; changes since v2.43.5:
 -------------------------------------------
 
 Achu Luma (2):
@@ -1315,6 +1361,29 @@ Zach FettersMoore (1):
       subtree: fix split processing with multiple subtrees present
 
 
+Version v2.43.5; changes since v2.43.4:
+---------------------------------------
+
+Jeff King (5):
+      send-email: drop FakeTerm hack
+      send-email: avoid creating more than one Term::ReadLine object
+      ci: drop mention of BREW_INSTALL_PACKAGES variable
+      ci: avoid bare "gcc" for osx-gcc job
+      ci: stop installing "gcc-13" for osx-gcc
+
+Johannes Schindelin (6):
+      hook: plug a new memory leak
+      init: use the correct path of the templates directory again
+      Revert "core.hooksPath: add some protection while cloning"
+      tests: verify that `clone -c core.hooksPath=/dev/null` works again
+      clone: drop the protections where hooks aren't run
+      Revert "Add a helper function to compare file contents"
+
+Junio C Hamano (2):
+      Revert "fsck: warn about symlink pointing inside a gitdir"
+      Git 2.39.5
+
+
 Version v2.43.4; changes since v2.43.3:
 ---------------------------------------
 
@@ -1763,7 +1832,7 @@ brian m. carlson (1):
       merge-file: add an option to process object IDs
 
 
-Version v2.43.0-rc0; changes since v2.42.2:
+Version v2.43.0-rc0; changes since v2.42.3:
 -------------------------------------------
 
 Alyssa Ross (1):
@@ -2159,6 +2228,29 @@ brian m. carlson (1):
       doc: correct the 50 characters soft limit (+)
 
 
+Version v2.42.3; changes since v2.42.2:
+---------------------------------------
+
+Jeff King (5):
+      send-email: drop FakeTerm hack
+      send-email: avoid creating more than one Term::ReadLine object
+      ci: drop mention of BREW_INSTALL_PACKAGES variable
+      ci: avoid bare "gcc" for osx-gcc job
+      ci: stop installing "gcc-13" for osx-gcc
+
+Johannes Schindelin (6):
+      hook: plug a new memory leak
+      init: use the correct path of the templates directory again
+      Revert "core.hooksPath: add some protection while cloning"
+      tests: verify that `clone -c core.hooksPath=/dev/null` works again
+      clone: drop the protections where hooks aren't run
+      Revert "Add a helper function to compare file contents"
+
+Junio C Hamano (2):
+      Revert "fsck: warn about symlink pointing inside a gitdir"
+      Git 2.39.5
+
+
 Version v2.42.2; changes since v2.42.1:
 ---------------------------------------
 
@@ -2477,7 +2569,7 @@ brian m. carlson (2):
       gitignore: ignore clangd .cache directory
 
 
-Version v2.42.0-rc0; changes since v2.41.1:
+Version v2.42.0-rc0; changes since v2.41.2:
 -------------------------------------------
 
 Alejandro R. Sedeño (1):
@@ -2965,6 +3057,29 @@ brian m. carlson (7):
       var: add config file locations
 
 
+Version v2.41.2; changes since v2.41.1:
+---------------------------------------
+
+Jeff King (5):
+      send-email: drop FakeTerm hack
+      send-email: avoid creating more than one Term::ReadLine object
+      ci: drop mention of BREW_INSTALL_PACKAGES variable
+      ci: avoid bare "gcc" for osx-gcc job
+      ci: stop installing "gcc-13" for osx-gcc
+
+Johannes Schindelin (6):
+      hook: plug a new memory leak
+      init: use the correct path of the templates directory again
+      Revert "core.hooksPath: add some protection while cloning"
+      tests: verify that `clone -c core.hooksPath=/dev/null` works again
+      clone: drop the protections where hooks aren't run
+      Revert "Add a helper function to compare file contents"
+
+Junio C Hamano (2):
+      Revert "fsck: warn about symlink pointing inside a gitdir"
+      Git 2.39.5
+
+
 Version v2.41.1; changes since v2.41.0:
 ---------------------------------------
 
@@ -3113,7 +3228,7 @@ brian m. carlson (1):
       upload-pack: advertise capabilities when cloning empty repos
 
 
-Version v2.41.0-rc0; changes since v2.40.2:
+Version v2.41.0-rc0; changes since v2.40.3:
 -------------------------------------------
 
 Adam Johnson (1):
@@ -3700,6 +3815,29 @@ ZheNing Hu (2):
       branch, for-each-ref, tag: add option to omit empty lines
 
 
+Version v2.40.3; changes since v2.40.2:
+---------------------------------------
+
+Jeff King (5):
+      send-email: drop FakeTerm hack
+      send-email: avoid creating more than one Term::ReadLine object
+      ci: drop mention of BREW_INSTALL_PACKAGES variable
+      ci: avoid bare "gcc" for osx-gcc job
+      ci: stop installing "gcc-13" for osx-gcc
+
+Johannes Schindelin (6):
+      hook: plug a new memory leak
+      init: use the correct path of the templates directory again
+      Revert "core.hooksPath: add some protection while cloning"
+      tests: verify that `clone -c core.hooksPath=/dev/null` works again
+      clone: drop the protections where hooks aren't run
+      Revert "Add a helper function to compare file contents"
+
+Junio C Hamano (2):
+      Revert "fsck: warn about symlink pointing inside a gitdir"
+      Git 2.39.5
+
+
 Version v2.40.2; changes since v2.40.1:
 ---------------------------------------
 
@@ -3929,7 +4067,7 @@ idriss fekir (1):
       trace.c, git.c: remove unnecessary parameter to trace_repo_setup()
 
 
-Version v2.40.0-rc0; changes since v2.39.4:
+Version v2.40.0-rc0; changes since v2.39.5:
 -------------------------------------------
 
 Adam Szkoda (1):
@@ -4337,6 +4475,29 @@ ZheNing Hu (1):
       date.c: allow ISO 8601 reduced precision times
 
 
+Version v2.39.5; changes since v2.39.4:
+---------------------------------------
+
+Jeff King (5):
+      send-email: drop FakeTerm hack
+      send-email: avoid creating more than one Term::ReadLine object
+      ci: drop mention of BREW_INSTALL_PACKAGES variable
+      ci: avoid bare "gcc" for osx-gcc job
+      ci: stop installing "gcc-13" for osx-gcc
+
+Johannes Schindelin (6):
+      hook: plug a new memory leak
+      init: use the correct path of the templates directory again
+      Revert "core.hooksPath: add some protection while cloning"
+      tests: verify that `clone -c core.hooksPath=/dev/null` works again
+      clone: drop the protections where hooks aren't run
+      Revert "Add a helper function to compare file contents"
+
+Junio C Hamano (2):
+      Revert "fsck: warn about symlink pointing inside a gitdir"
+      Git 2.39.5
+
+
 Version v2.39.4; changes since v2.39.3:
 ---------------------------------------
 
diff --git a/debian/patches/0001-hook-plug-a-new-memory-leak.diff b/debian/patches/0001-hook-plug-a-new-memory-leak.diff
deleted file mode 100644
index ab74831..0000000
--- a/debian/patches/0001-hook-plug-a-new-memory-leak.diff
+++ /dev/null
@@ -1,34 +0,0 @@
-From 94f95a123b10f3837e181ad93b81f1a4f53bb8fc Mon Sep 17 00:00:00 2001
-From: Johannes Schindelin <johannes.schindelin@gmx.de>
-Date: Sat, 18 May 2024 10:32:39 +0000
-Subject: hook: plug a new memory leak
-
-commit 2811ce3a79dc8a0105a6defb59718b35f5b397aa upstream.
-
-In 8db1e8743c0 (clone: prevent hooks from running during a clone,
-2024-03-28), I introduced an inadvertent memory leak that was
-unfortunately not caught before v2.45.1 was released. Here is a fix.
-
-Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Signed-off-by: Junio C Hamano <gitster@pobox.com>
-Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
----
- hook.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/hook.c b/hook.c
-index eebc4d44734..8de469b134a 100644
---- a/hook.c
-+++ b/hook.c
-@@ -26,8 +26,10 @@ static int identical_to_template_hook(const char *name, const char *path)
- 		found_template_hook = access(template_path.buf, X_OK) >= 0;
- 	}
- #endif
--	if (!found_template_hook)
-+	if (!found_template_hook) {
-+		strbuf_release(&template_path);
- 		return 0;
-+	}
- 
- 	ret = do_files_match(template_path.buf, path);
- 
diff --git a/debian/patches/0002-Revert-core.hooksPath-add-some-protection-while-cloni.diff b/debian/patches/0002-Revert-core.hooksPath-add-some-protection-while-cloni.diff
deleted file mode 100644
index 8e1c975..0000000
--- a/debian/patches/0002-Revert-core.hooksPath-add-some-protection-while-cloni.diff
+++ /dev/null
@@ -1,82 +0,0 @@
-From 7db946419c29e185f1cc6e544cfb47b442019ac7 Mon Sep 17 00:00:00 2001
-From: Johannes Schindelin <johannes.schindelin@gmx.de>
-Date: Sat, 18 May 2024 10:32:41 +0000
-Subject: Revert "core.hooksPath: add some protection while cloning"
-
-commit f13e8e2ea56ceef593311b3cff1ba7ba1a493682 upstream.
-
-This defense-in-depth was intended to protect the clone operation
-against future escalations where bugs in `git clone` would allow
-attackers to write arbitrary files in the `.git/` directory would allow
-for Remote Code Execution attacks via maliciously-placed hooks.
-
-However, it turns out that the `core.hooksPath` protection has
-unintentional side effects so severe that they do not justify the
-benefit of the protections. For example, it has been reported in
-https://lore.kernel.org/git/FAFA34CB-9732-4A0A-87FB-BDB272E6AEE8@alchemists.io/
-that the following invocation, which is intended to make `git clone`
-safer, is itself broken by that protective measure:
-
-	git clone --config core.hooksPath=/dev/null <url>
-
-Since it turns out that the benefit does not justify the cost, let's revert
-20f3588efc6 (core.hooksPath: add some protection while cloning,
-2024-03-30).
-
-Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Signed-off-by: Junio C Hamano <gitster@pobox.com>
-Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
----
- config.c        | 13 +------------
- t/t1800-hook.sh | 15 ---------------
- 2 files changed, 1 insertion(+), 27 deletions(-)
-
-diff --git a/config.c b/config.c
-index 77a0fd2d80e..ae3652b08fa 100644
---- a/config.c
-+++ b/config.c
-@@ -1416,19 +1416,8 @@ static int git_default_core_config(const char *var, const char *value,
- 	if (!strcmp(var, "core.attributesfile"))
- 		return git_config_pathname(&git_attributes_file, var, value);
- 
--	if (!strcmp(var, "core.hookspath")) {
--		if (ctx->kvi && ctx->kvi->scope == CONFIG_SCOPE_LOCAL &&
--		    git_env_bool("GIT_CLONE_PROTECTION_ACTIVE", 0))
--			die(_("active `core.hooksPath` found in the local "
--			      "repository config:\n\t%s\nFor security "
--			      "reasons, this is disallowed by default.\nIf "
--			      "this is intentional and the hook should "
--			      "actually be run, please\nrun the command "
--			      "again with "
--			      "`GIT_CLONE_PROTECTION_ACTIVE=false`"),
--			    value);
-+	if (!strcmp(var, "core.hookspath"))
- 		return git_config_pathname(&git_hooks_path, var, value);
--	}
- 
- 	if (!strcmp(var, "core.bare")) {
- 		is_bare_repository_cfg = git_config_bool(var, value);
-diff --git a/t/t1800-hook.sh b/t/t1800-hook.sh
-index 1894ebeb0e8..8b0234cf2d5 100755
---- a/t/t1800-hook.sh
-+++ b/t/t1800-hook.sh
-@@ -185,19 +185,4 @@ test_expect_success 'stdin to hooks' '
- 	test_cmp expect actual
- '
- 
--test_expect_success 'clone protections' '
--	test_config core.hooksPath "$(pwd)/my-hooks" &&
--	mkdir -p my-hooks &&
--	write_script my-hooks/test-hook <<-\EOF &&
--	echo Hook ran $1
--	EOF
--
--	git hook run test-hook 2>err &&
--	test_grep "Hook ran" err &&
--	test_must_fail env GIT_CLONE_PROTECTION_ACTIVE=true \
--		git hook run test-hook 2>err &&
--	test_grep "active .core.hooksPath" err &&
--	test_grep ! "Hook ran" err
--'
--
- test_done
diff --git a/debian/patches/0003-tests-verify-that-clone-c-core.hooksPath-dev-null-wor.diff b/debian/patches/0003-tests-verify-that-clone-c-core.hooksPath-dev-null-wor.diff
deleted file mode 100644
index 9a494d9..0000000
--- a/debian/patches/0003-tests-verify-that-clone-c-core.hooksPath-dev-null-wor.diff
+++ /dev/null
@@ -1,48 +0,0 @@
-From ce34e1b7a072db221190446e79cb373c7f6010a5 Mon Sep 17 00:00:00 2001
-From: Johannes Schindelin <johannes.schindelin@gmx.de>
-Date: Sat, 18 May 2024 10:32:42 +0000
-Subject: tests: verify that `clone -c core.hooksPath=/dev/null` works again
-
-commit a25a15726f4d1bf1c8362f1b3146096d6a87f965 upstream.
-
-As part of the protections added in Git v2.45.1 and friends,
-repository-local `core.hooksPath` settings are no longer allowed, as a
-defense-in-depth mechanism to prevent future Git vulnerabilities to
-raise to critical level if those vulnerabilities inadvertently allow the
-repository-local config to be written.
-
-What the added protection did not anticipate is that such a
-repository-local `core.hooksPath` can not only be used to point to
-maliciously-placed scripts in the current worktree, but also to
-_prevent_ hooks from being called altogether.
-
-We just reverted the `core.hooksPath` protections, based on the Git
-maintainer's recommendation in
-https://lore.kernel.org/git/xmqq4jaxvm8z.fsf@gitster.g/ to address this
-concern as well as related ones. Let's make sure that we won't regress
-while trying to protect the clone operation further.
-
-Reported-by: Brooke Kuhlmann <brooke@alchemists.io>
-Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Signed-off-by: Junio C Hamano <gitster@pobox.com>
-Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
----
- t/t1350-config-hooks-path.sh | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/t/t1350-config-hooks-path.sh b/t/t1350-config-hooks-path.sh
-index f6dc83e2aab..45a04929170 100755
---- a/t/t1350-config-hooks-path.sh
-+++ b/t/t1350-config-hooks-path.sh
-@@ -41,4 +41,11 @@ test_expect_success 'git rev-parse --git-path hooks' '
- 	test .git/custom-hooks/abc = "$(cat actual)"
- '
- 
-+test_expect_success 'core.hooksPath=/dev/null' '
-+	git clone -c core.hooksPath=/dev/null . no-templates &&
-+	value="$(git -C no-templates config --local core.hooksPath)" &&
-+	# The Bash used by Git for Windows rewrites `/dev/null` to `nul`
-+	{ test /dev/null = "$value" || test nul = "$value"; }
-+'
-+
- test_done
diff --git a/debian/patches/0004-hook-clone-protections-add-escape-hatch.diff b/debian/patches/0004-hook-clone-protections-add-escape-hatch.diff
deleted file mode 100644
index b2aa135..0000000
--- a/debian/patches/0004-hook-clone-protections-add-escape-hatch.diff
+++ /dev/null
@@ -1,182 +0,0 @@
-From 1f34eea689413fa10a664f4c154b097be7796b0a Mon Sep 17 00:00:00 2001
-From: Johannes Schindelin <johannes.schindelin@gmx.de>
-Date: Sat, 18 May 2024 10:32:43 +0000
-Subject: hook(clone protections): add escape hatch
-
-commit 85811d32aca9f0ba324a04bd8709c315d472efbe upstream.
-
-As defense-in-depth measures, v2.39.4 and friends leading up to v2.45.1
-introduced code that detects when hooks have been installed during a
-`git clone`, which is indicative of a common attack vector with critical
-severity that allows Remote Code Execution.
-
-There are legitimate use cases for such behavior, though, for example
-when those hooks stem from Git's own templates, which system
-administrators are at liberty to modify to enforce, say, commit message
-conventions. The git clone protections specifically add exceptions to
-allow for that.
-
-Another legitimate use case that has been identified too late to be
-handled in these security bug-fix versions is Git LFS: It behaves
-somewhat similar to common attack vectors by writing a few hooks while
-running the `smudge` filter during a regular clone, which means that Git
-has no chance to know that the hooks are benign and e.g. the
-`post-checkout` hook can be safely executed as part of the clone
-operation.
-
-To help Git LFS, and other tools behaving similarly (if there are any),
-let's add a new, multi-valued `safe.hook.sha256` config setting. Like
-the already-existing `safe.*` settings, it is ignored in
-repository-local configs, and it is interpreted as a list of SHA-256
-checksums of hooks' contents that are safe to execute during a clone
-operation. Future Git LFS versions will need to write those entries at
-the same time they install the `smudge`/`clean` filters.
-
-Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Signed-off-by: Junio C Hamano <gitster@pobox.com>
-Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
----
- Documentation/config/safe.txt |  6 +++
- hook.c                        | 69 ++++++++++++++++++++++++++++++++---
- t/t1800-hook.sh               | 15 ++++++++
- 3 files changed, 85 insertions(+), 5 deletions(-)
-
-diff --git a/Documentation/config/safe.txt b/Documentation/config/safe.txt
-index 577df40223a..e2eb4992bef 100644
---- a/Documentation/config/safe.txt
-+++ b/Documentation/config/safe.txt
-@@ -59,3 +59,9 @@ which id the original user has.
- If that is not what you would prefer and want git to only trust
- repositories that are owned by root instead, then you can remove
- the `SUDO_UID` variable from root's environment before invoking git.
-+
-+safe.hook.sha256::
-+	The value is the SHA-256 of hooks that are considered to be safe
-+	to run during a clone operation.
-++
-+Multiple values can be added via `git config --global --add`.
-diff --git a/hook.c b/hook.c
-index 8de469b134a..9eca6c0103a 100644
---- a/hook.c
-+++ b/hook.c
-@@ -10,6 +10,9 @@
- #include "environment.h"
- #include "setup.h"
- #include "copy.h"
-+#include "strmap.h"
-+#include "hash-ll.h"
-+#include "hex.h"
- 
- static int identical_to_template_hook(const char *name, const char *path)
- {
-@@ -37,11 +40,66 @@ static int identical_to_template_hook(const char *name, const char *path)
- 	return ret;
- }
- 
-+static struct strset safe_hook_sha256s = STRSET_INIT;
-+static int safe_hook_sha256s_initialized;
-+
-+static int get_sha256_of_file_contents(const char *path, char *sha256)
-+{
-+	struct strbuf sb = STRBUF_INIT;
-+	int fd;
-+	ssize_t res;
-+
-+	git_hash_ctx ctx;
-+	const struct git_hash_algo *algo = &hash_algos[GIT_HASH_SHA256];
-+	unsigned char hash[GIT_MAX_RAWSZ];
-+
-+	if ((fd = open(path, O_RDONLY)) < 0)
-+		return -1;
-+	res = strbuf_read(&sb, fd, 400);
-+	close(fd);
-+	if (res < 0)
-+		return -1;
-+
-+	algo->init_fn(&ctx);
-+	algo->update_fn(&ctx, sb.buf, sb.len);
-+	strbuf_release(&sb);
-+	algo->final_fn(hash, &ctx);
-+
-+	hash_to_hex_algop_r(sha256, hash, algo);
-+
-+	return 0;
-+}
-+
-+static int safe_hook_cb(const char *key, const char *value,
-+			const struct config_context *ctx UNUSED, void *d)
-+{
-+	struct strset *set = d;
-+
-+	if (value && !strcmp(key, "safe.hook.sha256"))
-+		strset_add(set, value);
-+
-+	return 0;
-+}
-+
-+static int is_hook_safe_during_clone(const char *name, const char *path, char *sha256)
-+{
-+	if (get_sha256_of_file_contents(path, sha256) < 0)
-+		return 0;
-+
-+	if (!safe_hook_sha256s_initialized) {
-+		safe_hook_sha256s_initialized = 1;
-+		git_protected_config(safe_hook_cb, &safe_hook_sha256s);
-+	}
-+
-+	return strset_contains(&safe_hook_sha256s, sha256);
-+}
-+
- const char *find_hook(const char *name)
- {
- 	static struct strbuf path = STRBUF_INIT;
- 
- 	int found_hook;
-+	char sha256[GIT_SHA256_HEXSZ + 1] = { '\0' };
- 
- 	strbuf_reset(&path);
- 	strbuf_git_path(&path, "hooks/%s", name);
-@@ -73,13 +131,14 @@ const char *find_hook(const char *name)
- 		return NULL;
- 	}
- 	if (!git_hooks_path && git_env_bool("GIT_CLONE_PROTECTION_ACTIVE", 0) &&
--	    !identical_to_template_hook(name, path.buf))
-+	    !identical_to_template_hook(name, path.buf) &&
-+	    !is_hook_safe_during_clone(name, path.buf, sha256))
- 		die(_("active `%s` hook found during `git clone`:\n\t%s\n"
- 		      "For security reasons, this is disallowed by default.\n"
--		      "If this is intentional and the hook should actually "
--		      "be run, please\nrun the command again with "
--		      "`GIT_CLONE_PROTECTION_ACTIVE=false`"),
--		    name, path.buf);
-+		      "If this is intentional and the hook is safe to run, "
-+		      "please run the following command and try again:\n\n"
-+		      "  git config --global --add safe.hook.sha256 %s"),
-+		    name, path.buf, sha256);
- 	return path.buf;
- }
- 
-diff --git a/t/t1800-hook.sh b/t/t1800-hook.sh
-index 8b0234cf2d5..cbdf60c451a 100755
---- a/t/t1800-hook.sh
-+++ b/t/t1800-hook.sh
-@@ -185,4 +185,19 @@ test_expect_success 'stdin to hooks' '
- 	test_cmp expect actual
- '
- 
-+test_expect_success '`safe.hook.sha256` and clone protections' '
-+	git init safe-hook &&
-+	write_script safe-hook/.git/hooks/pre-push <<-\EOF &&
-+	echo "called hook" >safe-hook.log
-+	EOF
-+
-+	test_must_fail env GIT_CLONE_PROTECTION_ACTIVE=true \
-+		git -C safe-hook hook run pre-push 2>err &&
-+	cmd="$(grep "git config --global --add safe.hook.sha256 [0-9a-f]" err)" &&
-+	eval "$cmd" &&
-+	GIT_CLONE_PROTECTION_ACTIVE=true \
-+		git -C safe-hook hook run pre-push &&
-+	test "called hook" = "$(cat safe-hook/safe-hook.log)"
-+'
-+
- test_done
diff --git a/debian/patches/0005-hooks-clone-protections-special-case-current-Git-LFS-.diff b/debian/patches/0005-hooks-clone-protections-special-case-current-Git-LFS-.diff
deleted file mode 100644
index bad67cd..0000000
--- a/debian/patches/0005-hooks-clone-protections-special-case-current-Git-LFS-.diff
+++ /dev/null
@@ -1,82 +0,0 @@
-From 09595d6984b41cbb6f653643f826fe009c56b493 Mon Sep 17 00:00:00 2001
-From: Johannes Schindelin <johannes.schindelin@gmx.de>
-Date: Sat, 18 May 2024 10:32:44 +0000
-Subject: hooks(clone protections): special-case current Git LFS hooks
-
-commit c65d0f9ee6894cdf7feeb51639870bfaf826c905 upstream.
-
-A notable regression in v2.45.1 and friends (all the way down to
-v2.39.4) has been that Git LFS-enabled clones error out with a message
-indicating that the `post-checkout` hook has been tampered with while
-cloning, and as a safety measure it is not executed.
-
-A generic fix for benign third-party applications wishing to write hooks
-during clone operations has been implemented in the parent of this
-commit: said applications are expected to add `safe.hook.sha256` values
-to a protected config.
-
-However, the current version of Git LFS, v3.5.1, cannot be adapted
-retroactively; Therefore, let's just hard-code the SHA-256 values for
-this version. That way, Git LFS usage will no longer be broken, and the
-next Git LFS version can be taught to add those `safe.hook.sha256`
-entries.
-
-Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Signed-off-by: Junio C Hamano <gitster@pobox.com>
-Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
----
- hook.c          | 11 +++++++++++
- t/t1800-hook.sh | 20 ++++++++++++++++++++
- 2 files changed, 31 insertions(+)
-
-diff --git a/hook.c b/hook.c
-index 9eca6c0103a..fc0548edb66 100644
---- a/hook.c
-+++ b/hook.c
-@@ -88,6 +88,17 @@ static int is_hook_safe_during_clone(const char *name, const char *path, char *s
- 
- 	if (!safe_hook_sha256s_initialized) {
- 		safe_hook_sha256s_initialized = 1;
-+
-+		/* Hard-code known-safe values for Git LFS v3.4.0..v3.5.1 */
-+		/* pre-push */
-+		strset_add(&safe_hook_sha256s, "df5417b2daa3aa144c19681d1e997df7ebfe144fb7e3e05138bd80ae998008e4");
-+		/* post-checkout */
-+		strset_add(&safe_hook_sha256s, "791471b4ff472aab844a4fceaa48bbb0a12193616f971e8e940625498b4938a6");
-+		/* post-commit */
-+		strset_add(&safe_hook_sha256s, "21e961572bb3f43a5f2fbafc1cc764d86046cc2e5f0bbecebfe9684a0b73b664");
-+		/* post-merge */
-+		strset_add(&safe_hook_sha256s, "75da0da66a803b4b030ad50801ba57062c6196105eb1d2251590d100edb9390b");
-+
- 		git_protected_config(safe_hook_cb, &safe_hook_sha256s);
- 	}
- 
-diff --git a/t/t1800-hook.sh b/t/t1800-hook.sh
-index cbdf60c451a..c51be5f7a06 100755
---- a/t/t1800-hook.sh
-+++ b/t/t1800-hook.sh
-@@ -200,4 +200,24 @@ test_expect_success '`safe.hook.sha256` and clone protections' '
- 	test "called hook" = "$(cat safe-hook/safe-hook.log)"
- '
- 
-+write_lfs_pre_push_hook () {
-+	write_script "$1" <<-\EOF
-+	command -v git-lfs >/dev/null 2>&1 || { echo >&2 "\nThis repository is configured for Git LFS but 'git-lfs' was not found on your path. If you no longer wish to use Git LFS, remove this hook by deleting the 'pre-push' file in the hooks directory (set by 'core.hookspath'; usually '.git/hooks').\n"; exit 2; }
-+	git lfs pre-push "$@"
-+	EOF
-+}
-+
-+test_expect_success 'Git LFS special-handling in clone protections' '
-+	git init lfs-hooks &&
-+	write_lfs_pre_push_hook lfs-hooks/.git/hooks/pre-push &&
-+	write_script git-lfs <<-\EOF &&
-+	echo "called $*" >fake-git-lfs.log
-+	EOF
-+
-+	PATH="$PWD:$PATH" GIT_CLONE_PROTECTION_ACTIVE=true \
-+		git -C lfs-hooks hook run pre-push &&
-+	test_write_lines "called pre-push" >expect &&
-+	test_cmp lfs-hooks/fake-git-lfs.log expect
-+'
-+
- test_done
diff --git a/debian/patches/0006-hooks-clone-protections-simplify-templates-hooks-vali.diff b/debian/patches/0006-hooks-clone-protections-simplify-templates-hooks-vali.diff
deleted file mode 100644
index a0642e3..0000000
--- a/debian/patches/0006-hooks-clone-protections-simplify-templates-hooks-vali.diff
+++ /dev/null
@@ -1,198 +0,0 @@
-From 8813bb5f4109991b88c98584a4abbb2d06cfbc28 Mon Sep 17 00:00:00 2001
-From: Johannes Schindelin <johannes.schindelin@gmx.de>
-Date: Sat, 18 May 2024 10:32:45 +0000
-Subject: hooks(clone protections): simplify templates hooks validation
-
-commit eff37e9b1dec25a3e1297eb89a36d8e68fe01b40 upstream.
-
-When an active hook is encountered during a clone operation, to protect
-against Remote Code Execution attack vectors, Git checks whether the
-hook was copied over from the templates directory.
-
-When that logic was introduced, there was no other way to check this
-than to add a function to compare files.
-
-In the meantime, we've added code to compute the SHA-256 checksum of a
-given hook and compare that checksum against a list of known-safe ones.
-
-Let's simplify the logic by adding to said list when copying the
-templates' hooks.
-
-We need to be careful to support multi-process operations such as
-recursive submodule clones: In such a scenario, the list of SHA-256
-checksums that is kept in memory is not enough, we also have to pass the
-information down to child processes via `GIT_CONFIG_PARAMETERS`.
-
-Extend the regression test in t5601 to ensure that recursive clones are
-handled as expected.
-
-Note: Technically there is no way that the checksums computed while
-initializing the submodules' gitdirs can be passed to the process that
-performs the checkout: For historical reasons, these operations are
-performed in processes spawned in separate loops from the
-super-project's `git clone` process. But since the templates from which
-the submodules are initialized are the very same as the ones from which
-the super-project is initialized, we can get away with using the list of
-SHA-256 checksums that is computed when initializing the super-project
-and passing that down to the `submodule--helper` processes that perform
-the recursive checkout.
-
-Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Signed-off-by: Junio C Hamano <gitster@pobox.com>
-Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
----
- hook.c           | 43 ++++++++++++++++---------------------------
- hook.h           | 10 ++++++++++
- setup.c          |  7 +++++++
- t/t5601-clone.sh | 19 +++++++++++++++++++
- 4 files changed, 52 insertions(+), 27 deletions(-)
-
-diff --git a/hook.c b/hook.c
-index fc0548edb66..8ac51c9912b 100644
---- a/hook.c
-+++ b/hook.c
-@@ -14,32 +14,6 @@
- #include "hash-ll.h"
- #include "hex.h"
- 
--static int identical_to_template_hook(const char *name, const char *path)
--{
--	const char *env = getenv("GIT_CLONE_TEMPLATE_DIR");
--	const char *template_dir = get_template_dir(env && *env ? env : NULL);
--	struct strbuf template_path = STRBUF_INIT;
--	int found_template_hook, ret;
--
--	strbuf_addf(&template_path, "%s/hooks/%s", template_dir, name);
--	found_template_hook = access(template_path.buf, X_OK) >= 0;
--#ifdef STRIP_EXTENSION
--	if (!found_template_hook) {
--		strbuf_addstr(&template_path, STRIP_EXTENSION);
--		found_template_hook = access(template_path.buf, X_OK) >= 0;
--	}
--#endif
--	if (!found_template_hook) {
--		strbuf_release(&template_path);
--		return 0;
--	}
--
--	ret = do_files_match(template_path.buf, path);
--
--	strbuf_release(&template_path);
--	return ret;
--}
--
- static struct strset safe_hook_sha256s = STRSET_INIT;
- static int safe_hook_sha256s_initialized;
- 
-@@ -70,6 +44,22 @@ static int get_sha256_of_file_contents(const char *path, char *sha256)
- 	return 0;
- }
- 
-+void add_safe_hook(const char *path)
-+{
-+	char sha256[GIT_SHA256_HEXSZ + 1] = { '\0' };
-+
-+	if (!get_sha256_of_file_contents(path, sha256)) {
-+		char *p;
-+
-+		strset_add(&safe_hook_sha256s, sha256);
-+
-+		/* support multi-process operations e.g. recursive clones */
-+		p = xstrfmt("safe.hook.sha256=%s", sha256);
-+		git_config_push_parameter(p);
-+		free(p);
-+	}
-+}
-+
- static int safe_hook_cb(const char *key, const char *value,
- 			const struct config_context *ctx UNUSED, void *d)
- {
-@@ -142,7 +132,6 @@ const char *find_hook(const char *name)
- 		return NULL;
- 	}
- 	if (!git_hooks_path && git_env_bool("GIT_CLONE_PROTECTION_ACTIVE", 0) &&
--	    !identical_to_template_hook(name, path.buf) &&
- 	    !is_hook_safe_during_clone(name, path.buf, sha256))
- 		die(_("active `%s` hook found during `git clone`:\n\t%s\n"
- 		      "For security reasons, this is disallowed by default.\n"
-diff --git a/hook.h b/hook.h
-index 19ab9a5806e..b4770d9bd88 100644
---- a/hook.h
-+++ b/hook.h
-@@ -87,4 +87,14 @@ int run_hooks(const char *hook_name);
-  * hook. This function behaves like the old run_hook_le() API.
-  */
- int run_hooks_l(const char *hook_name, ...);
-+
-+/**
-+ * Mark the contents of the provided path as safe to run during a clone
-+ * operation.
-+ *
-+ * This function is mainly used when copying templates to mark the
-+ * just-copied hooks as benign.
-+ */
-+void add_safe_hook(const char *path);
-+
- #endif
-diff --git a/setup.c b/setup.c
-index 30f243fc32d..25828a85ec3 100644
---- a/setup.c
-+++ b/setup.c
-@@ -17,6 +17,8 @@
- #include "trace2.h"
- #include "worktree.h"
- #include "exec-cmd.h"
-+#include "run-command.h"
-+#include "hook.h"
- 
- static int inside_git_dir = -1;
- static int inside_work_tree = -1;
-@@ -1868,6 +1870,7 @@ static void copy_templates_1(struct strbuf *path, struct strbuf *template_path,
- 	size_t path_baselen = path->len;
- 	size_t template_baselen = template_path->len;
- 	struct dirent *de;
-+	int is_hooks_dir = ends_with(template_path->buf, "/hooks/");
- 
- 	/* Note: if ".git/hooks" file exists in the repository being
- 	 * re-initialized, /etc/core-git/templates/hooks/update would
-@@ -1920,6 +1923,10 @@ static void copy_templates_1(struct strbuf *path, struct strbuf *template_path,
- 			strbuf_release(&lnk);
- 		}
- 		else if (S_ISREG(st_template.st_mode)) {
-+			if (is_hooks_dir &&
-+			    is_executable(template_path->buf))
-+				add_safe_hook(template_path->buf);
-+
- 			if (copy_file(path->buf, template_path->buf, st_template.st_mode))
- 				die_errno(_("cannot copy '%s' to '%s'"),
- 					  template_path->buf, path->buf);
-diff --git a/t/t5601-clone.sh b/t/t5601-clone.sh
-index deb1c282c71..ca3a8d1ebed 100755
---- a/t/t5601-clone.sh
-+++ b/t/t5601-clone.sh
-@@ -836,6 +836,25 @@ test_expect_success 'clone with init.templatedir runs hooks' '
- 		git config --unset init.templateDir &&
- 		test_grep ! "active .* hook found" err &&
- 		test_path_is_missing hook-run-local-config/hook.run
-+	) &&
-+
-+	test_config_global protocol.file.allow always &&
-+	git -C tmpl/hooks submodule add "$(pwd)/tmpl/hooks" sub &&
-+	test_tick &&
-+	git -C tmpl/hooks add .gitmodules sub &&
-+	git -C tmpl/hooks commit -m submodule &&
-+
-+	(
-+		sane_unset GIT_TEMPLATE_DIR &&
-+		NO_SET_GIT_TEMPLATE_DIR=t &&
-+		export NO_SET_GIT_TEMPLATE_DIR &&
-+
-+		git -c init.templateDir="$(pwd)/tmpl" \
-+			clone --recurse-submodules \
-+			tmpl/hooks hook-run-submodule 2>err &&
-+		test_grep ! "active .* hook found" err &&
-+		test_path_is_file hook-run-submodule/hook.run &&
-+		test_path_is_file hook-run-submodule/sub/hook.run
- 	)
- '
- 
diff --git a/debian/patches/0007-Revert-Add-a-helper-function-to-compare-file-contents.diff b/debian/patches/0007-Revert-Add-a-helper-function-to-compare-file-contents.diff
deleted file mode 100644
index 6cf2874..0000000
--- a/debian/patches/0007-Revert-Add-a-helper-function-to-compare-file-contents.diff
+++ /dev/null
@@ -1,185 +0,0 @@
-From 13b17dea6c851b21ceb9ce163cdd7338f1ec4ecf Mon Sep 17 00:00:00 2001
-From: Johannes Schindelin <johannes.schindelin@gmx.de>
-Date: Sat, 18 May 2024 10:32:46 +0000
-Subject: Revert "Add a helper function to compare file contents"
-
-commit 851218a8af645b0abd64882d2b88bc984aa762e9 upstream.
-
-Now that during a `git clone`, the hooks' contents are no longer
-compared to the templates' files', the caller for which the
-`do_files_match()` function was introduced is gone, and therefore this
-function can be retired, too.
-
-This reverts commit 584de0b4c23 (Add a helper function to compare file
-contents, 2024-03-30).
-
-Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Signed-off-by: Junio C Hamano <gitster@pobox.com>
-Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
----
- copy.c                     | 58 --------------------------------------
- copy.h                     | 14 ---------
- t/helper/test-path-utils.c | 10 -------
- t/t0060-path-utils.sh      | 41 ---------------------------
- 4 files changed, 123 deletions(-)
-
-diff --git a/copy.c b/copy.c
-index 3df156f6cea..d9d20920126 100644
---- a/copy.c
-+++ b/copy.c
-@@ -70,61 +70,3 @@ int copy_file_with_time(const char *dst, const char *src, int mode)
- 		return copy_times(dst, src);
- 	return status;
- }
--
--static int do_symlinks_match(const char *path1, const char *path2)
--{
--	struct strbuf buf1 = STRBUF_INIT, buf2 = STRBUF_INIT;
--	int ret = 0;
--
--	if (!strbuf_readlink(&buf1, path1, 0) &&
--	    !strbuf_readlink(&buf2, path2, 0))
--		ret = !strcmp(buf1.buf, buf2.buf);
--
--	strbuf_release(&buf1);
--	strbuf_release(&buf2);
--	return ret;
--}
--
--int do_files_match(const char *path1, const char *path2)
--{
--	struct stat st1, st2;
--	int fd1 = -1, fd2 = -1, ret = 1;
--	char buf1[8192], buf2[8192];
--
--	if ((fd1 = open_nofollow(path1, O_RDONLY)) < 0 ||
--	    fstat(fd1, &st1) || !S_ISREG(st1.st_mode)) {
--		if (fd1 < 0 && errno == ELOOP)
--			/* maybe this is a symbolic link? */
--			return do_symlinks_match(path1, path2);
--		ret = 0;
--	} else if ((fd2 = open_nofollow(path2, O_RDONLY)) < 0 ||
--		   fstat(fd2, &st2) || !S_ISREG(st2.st_mode)) {
--		ret = 0;
--	}
--
--	if (ret)
--		/* to match, neither must be executable, or both */
--		ret = !(st1.st_mode & 0111) == !(st2.st_mode & 0111);
--
--	if (ret)
--		ret = st1.st_size == st2.st_size;
--
--	while (ret) {
--		ssize_t len1 = read_in_full(fd1, buf1, sizeof(buf1));
--		ssize_t len2 = read_in_full(fd2, buf2, sizeof(buf2));
--
--		if (len1 < 0 || len2 < 0 || len1 != len2)
--			ret = 0; /* read error or different file size */
--		else if (!len1) /* len2 is also 0; hit EOF on both */
--			break; /* ret is still true */
--		else
--			ret = !memcmp(buf1, buf2, len1);
--	}
--
--	if (fd1 >= 0)
--		close(fd1);
--	if (fd2 >= 0)
--		close(fd2);
--
--	return ret;
--}
-diff --git a/copy.h b/copy.h
-index 057259a3a7a..2af77cba864 100644
---- a/copy.h
-+++ b/copy.h
-@@ -7,18 +7,4 @@ int copy_fd(int ifd, int ofd);
- int copy_file(const char *dst, const char *src, int mode);
- int copy_file_with_time(const char *dst, const char *src, int mode);
- 
--/*
-- * Compare the file mode and contents of two given files.
-- *
-- * If both files are actually symbolic links, the function returns 1 if the link
-- * targets are identical or 0 if they are not.
-- *
-- * If any of the two files cannot be accessed or in case of read failures, this
-- * function returns 0.
-- *
-- * If the file modes and contents are identical, the function returns 1,
-- * otherwise it returns 0.
-- */
--int do_files_match(const char *path1, const char *path2);
--
- #endif /* COPY_H */
-diff --git a/t/helper/test-path-utils.c b/t/helper/test-path-utils.c
-index 023ed2e1a78..bf0e23ed505 100644
---- a/t/helper/test-path-utils.c
-+++ b/t/helper/test-path-utils.c
-@@ -501,16 +501,6 @@ int cmd__path_utils(int argc, const char **argv)
- 		return !!res;
- 	}
- 
--	if (argc == 4 && !strcmp(argv[1], "do_files_match")) {
--		int ret = do_files_match(argv[2], argv[3]);
--
--		if (ret)
--			printf("equal\n");
--		else
--			printf("different\n");
--		return !ret;
--	}
--
- 	fprintf(stderr, "%s: unknown function name: %s\n", argv[0],
- 		argv[1] ? argv[1] : "(there was none)");
- 	return 1;
-diff --git a/t/t0060-path-utils.sh b/t/t0060-path-utils.sh
-index 85686ee15da..0afa3d0d312 100755
---- a/t/t0060-path-utils.sh
-+++ b/t/t0060-path-utils.sh
-@@ -610,45 +610,4 @@ test_expect_success !VALGRIND,RUNTIME_PREFIX,CAN_EXEC_IN_PWD '%(prefix)/ works'
- 	test_cmp expect actual
- '
- 
--test_expect_success 'do_files_match()' '
--	test_seq 0 10 >0-10.txt &&
--	test_seq -1 10 >-1-10.txt &&
--	test_seq 1 10 >1-10.txt &&
--	test_seq 1 9 >1-9.txt &&
--	test_seq 0 8 >0-8.txt &&
--
--	test-tool path-utils do_files_match 0-10.txt 0-10.txt >out &&
--
--	assert_fails() {
--		test_must_fail \
--		test-tool path-utils do_files_match "$1" "$2" >out &&
--		grep different out
--	} &&
--
--	assert_fails 0-8.txt 1-9.txt &&
--	assert_fails -1-10.txt 0-10.txt &&
--	assert_fails 1-10.txt 1-9.txt &&
--	assert_fails 1-10.txt .git &&
--	assert_fails does-not-exist 1-10.txt &&
--
--	if test_have_prereq FILEMODE
--	then
--		cp 0-10.txt 0-10.x &&
--		chmod a+x 0-10.x &&
--		assert_fails 0-10.txt 0-10.x
--	fi &&
--
--	if test_have_prereq SYMLINKS
--	then
--		ln -sf 0-10.txt symlink &&
--		ln -s 0-10.txt another-symlink &&
--		ln -s over-the-ocean yet-another-symlink &&
--		ln -s "$PWD/0-10.txt" absolute-symlink &&
--		assert_fails 0-10.txt symlink &&
--		test-tool path-utils do_files_match symlink another-symlink &&
--		assert_fails symlink yet-another-symlink &&
--		assert_fails symlink absolute-symlink
--	fi
--'
--
- test_done
diff --git a/debian/patches/series b/debian/patches/series
deleted file mode 100644
index 7ff1f37..0000000
--- a/debian/patches/series
+++ /dev/null
@@ -1,7 +0,0 @@
-0001-hook-plug-a-new-memory-leak.diff
-0002-Revert-core.hooksPath-add-some-protection-while-cloni.diff
-0003-tests-verify-that-clone-c-core.hooksPath-dev-null-wor.diff
-0004-hook-clone-protections-add-escape-hatch.diff
-0005-hooks-clone-protections-special-case-current-Git-LFS-.diff
-0006-hooks-clone-protections-simplify-templates-hooks-vali.diff
-0007-Revert-Add-a-helper-function-to-compare-file-contents.diff
diff --git a/debian/versions.upstream b/debian/versions.upstream
index 7af7478..6375aef 100644
--- a/debian/versions.upstream
+++ b/debian/versions.upstream
@@ -832,23 +832,27 @@ v2.39.1
 v2.39.2
 v2.39.3
 v2.39.4
+v2.39.5
 v2.40.0-rc0
 v2.40.0-rc1
 v2.40.0-rc2
 v2.40.0
 v2.40.1
 v2.40.2
+v2.40.3
 v2.41.0-rc0
 v2.41.0-rc1
 v2.41.0-rc2
 v2.41.0
 v2.41.1
+v2.41.2
 v2.42.0-rc0
 v2.42.0-rc1
 v2.42.0-rc2
 v2.42.0
 v2.42.1
 v2.42.2
+v2.42.3
 v2.43.0-rc0
 v2.43.0-rc1
 v2.43.0-rc2
@@ -857,12 +861,15 @@ v2.43.1
 v2.43.2
 v2.43.3
 v2.43.4
+v2.43.5
 v2.44.0-rc0
 v2.44.0-rc1
 v2.44.0-rc2
 v2.44.0
 v2.44.1
+v2.44.2
 v2.45.0-rc0
 v2.45.0-rc1
 v2.45.0
 v2.45.1
+v2.45.2