File: 2.17.5.txt

package info (click to toggle)
cgit 1.2.3%2Bgit20240802.70.09d24d7%2Bgit2.46.0-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 56,184 kB
  • sloc: ansic: 301,641; sh: 254,574; perl: 29,353; tcl: 22,151; makefile: 4,198; python: 3,594; javascript: 810; csh: 45; ruby: 43; lisp: 12
file content (22 lines) | stat: -rw-r--r-- 828 bytes parent folder | download | duplicates (10) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
 
Git v2.17.5 Release Notes
=========================

This release is to address a security issue: CVE-2020-11008

Fixes since v2.17.4
-------------------

 * With a crafted URL that contains a newline or empty host, or lacks
   a scheme, the credential helper machinery can be fooled into
   providing credential information that is not appropriate for the
   protocol in use and host being contacted.

   Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
   credentials are not for a host of the attacker's choosing; instead,
   they are for some unspecified host (based on how the configured
   credential helper handles an absent "host" parameter).

   The attack has been made impossible by refusing to work with
   under-specified credential patterns.

Credit for finding the vulnerability goes to Carlo Arenas.