ASA-2019-00662 – Git: Recursive submodule cloning allows using git directory twice with synonymous directory name written in .git/

When submodules are cloned recursively, under certain circumstances Git could be fooled into using the same Git directory twice. When using submodule paths that refer to the same file system entity (e.g. using the NTFS Alternate Data Streams attack mentioned in CVE-2019-1352 where files would be written to the `.git/` directory using a synonymous directory name), it was possible to "squat" on the `git~1` shortname on NTFS drives, opening attacks via `git~2`. This also affects Git when run as a Linux application inside the Windows Subsystem for Linux.

ASA-2019-00222 – GitLab: EXIF geolocation data not stripped from uploaded images

Images uploaded to GitLab were not stripped of EXIF geolocation data. As a result, anyone with access to the uploaded image could obtain the its geolocation, device, and software version data, if present.