Update git because of CVE-2022-23521

https://answers.launchpad.net/ubuntu/+source/git/+question/704452
https://launchpad.net/ubuntu/+source/git/1:2.34.1-1ubuntu1.6

Status changed to 'Confirmed' because the bug affects multiple users.

It appears that Canonical does not want to provide a fixed version.

So I decided to change the git source repo, and get a fresh git with:

sudo add-apt-repository ppa:git-core/ppa
sudo apt update
sudo apt install git -y

now check the version with: git --version

and it has 2.39.2, works on Ubuntu 18.04 without issues.

Conclusion: there is no reason to stick at the old git 2.17.1 on that distro.

As shown at https://ubuntu.com/security/CVE-2022-23521, Canonical *did* provide a fix for this, including for the three versions of Ubuntu mentioned here (18.04 bionic, 20.04 focal, 22.04 jammy). That Ubuntu Security Notice was published a day before this bug report was opened, and unless I'm missing something, it looks like this bug report was based on a misconception about how security patches and their associated versioning works.

Most security patches in Debian, Ubuntu, and most (though not all) distros are are provided as patched versions that add only the fix for the security vulnerability, without new feature changes. In Ubuntu, this relates to https://wiki.ubuntu.com/StableReleaseUpdates. That is what https://bugs.launchpad.net/ubuntu/+source/git/+bug/2003204/comments/1 above is referring to. The fixed packages' version numbers did not match the expectation expressed in the bug description here, but they did fix the bug.

Of course, it can still be valuable to use ppa:git-core/ppa if one wants the *features* of a new git version, such as performance, additional options, more user-friendly messages, and so forth. But getting fixes for security vulnerabilities does not generally require this, and did not require it in the case of CVE-2022-23521.