From: Junio C Hamano <gitster@pobox.com> To: git@vger.kernel.org Cc: Linux Kernel <linux-kernel@vger.kernel.org>, git-packagers@googlegroups.com Subject: [Announce] Git v2.26.2 and others Date: Mon, 20 Apr 2020 11:02:55 -0700 Message-ID: <xmqq4kterq5s.fsf@gitster.c.googlers.com> (raw) Today, the Git project is releasing the following Git versions: v2.26.2, v2.25.4, v2.24.3, v2.23.3, v2.22.4, v2.21.3, v2.20.4, v2.19.5, v2.18.4, and v2.17.5. These releases address the security issue CVE-2020-11008, which is similar to the recently addressed CVE-2020-5260. Users of the affected maintenance tracks are urged to upgrade. The tarballs are found at: https://www.kernel.org/pub/software/scm/git/ The following public repositories all have a copy of the 'v2.26.2' and other tags: url = https://kernel.googlesource.com/pub/scm/git/git url = git://repo.or.cz/alt-git.git url = https://github.com/gitster/git Attached below is the release notes for 2.17.5; all the newer maintenance tracks listed at the beginning of this message are updated with the same fix, so I won't repeat them here. Thanks. -------------------------------------------------- Git v2.17.5 Release Notes ========================= This release is to address a security issue: CVE-2020-11008 Fixes since v2.17.4 ------------------- * With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the credentials are not for a host of the attacker's choosing; instead, they are for some unspecified host (based on how the configured credential helper handles an absent "host" parameter). The attack has been made impossible by refusing to work with under-specified credential patterns. Credit for finding the vulnerability goes to Carlo Arenas.
reply index Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=xmqq4kterq5s.fsf@gitster.c.googlers.com \ --to=gitster@pobox.com \ --cc=git-packagers@googlegroups.com \ --cc=git@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
Git Mailing List Archive on lore.kernel.org Archives are clonable: git clone --mirror https://lore.kernel.org/git/0 git/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 git git/ https://lore.kernel.org/git \ git@vger.kernel.org public-inbox-index git Example config snippet for mirrors Newsgroup available over NNTP: nntp://nntp.lore.kernel.org/org.kernel.vger.git AGPL code for this site: git clone https://public-inbox.org/public-inbox.git