From: Junio C Hamano <gitster@pobox.com>
To: git@vger.kernel.org
Cc: Linux Kernel <linux-kernel@vger.kernel.org>,
git-packagers@googlegroups.com
Subject: [Announce] Git v2.26.2 and others
Date: Mon, 20 Apr 2020 11:02:55 -0700
Message-ID: <xmqq4kterq5s.fsf@gitster.c.googlers.com> (raw)
Today, the Git project is releasing the following Git versions:
v2.26.2, v2.25.4, v2.24.3, v2.23.3, v2.22.4, v2.21.3, v2.20.4,
v2.19.5, v2.18.4, and v2.17.5.
These releases address the security issue CVE-2020-11008, which is
similar to the recently addressed CVE-2020-5260.
Users of the affected maintenance tracks are urged to upgrade.
The tarballs are found at:
https://www.kernel.org/pub/software/scm/git/
The following public repositories all have a copy of the 'v2.26.2'
and other tags:
url = https://kernel.googlesource.com/pub/scm/git/git
url = git://repo.or.cz/alt-git.git
url = https://github.com/gitster/git
Attached below is the release notes for 2.17.5; all the newer
maintenance tracks listed at the beginning of this message are
updated with the same fix, so I won't repeat them here.
Thanks.
--------------------------------------------------
Git v2.17.5 Release Notes
=========================
This release is to address a security issue: CVE-2020-11008
Fixes since v2.17.4
-------------------
* With a crafted URL that contains a newline or empty host, or lacks
a scheme, the credential helper machinery can be fooled into
providing credential information that is not appropriate for the
protocol in use and host being contacted.
Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
credentials are not for a host of the attacker's choosing; instead,
they are for some unspecified host (based on how the configured
credential helper handles an absent "host" parameter).
The attack has been made impossible by refusing to work with
under-specified credential patterns.
Credit for finding the vulnerability goes to Carlo Arenas.
reply index
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqq4kterq5s.fsf@gitster.c.googlers.com \
--to=gitster@pobox.com \
--cc=git-packagers@googlegroups.com \
--cc=git@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Mailing List Archive on lore.kernel.org
Archives are clonable:
git clone --mirror https://lore.kernel.org/git/0 git/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 git git/ https://lore.kernel.org/git \
git@vger.kernel.org
public-inbox-index git
Example config snippet for mirrors
Newsgroup available over NNTP:
nntp://nntp.lore.kernel.org/org.kernel.vger.git
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git