* [Announce] Git v2.26.2 and others
@ 2020-04-20 18:02 Junio C Hamano
0 siblings, 0 replies; only message in thread
From: Junio C Hamano @ 2020-04-20 18:02 UTC (permalink / raw)
To: git; +Cc: Linux Kernel, git-packagers
Today, the Git project is releasing the following Git versions:
v2.26.2, v2.25.4, v2.24.3, v2.23.3, v2.22.4, v2.21.3, v2.20.4,
v2.19.5, v2.18.4, and v2.17.5.
These releases address the security issue CVE-2020-11008, which is
similar to the recently addressed CVE-2020-5260.
Users of the affected maintenance tracks are urged to upgrade.
The tarballs are found at:
The following public repositories all have a copy of the 'v2.26.2'
and other tags:
url = https://kernel.googlesource.com/pub/scm/git/git
url = git://repo.or.cz/alt-git.git
url = https://github.com/gitster/git
Attached below is the release notes for 2.17.5; all the newer
maintenance tracks listed at the beginning of this message are
updated with the same fix, so I won't repeat them here.
Git v2.17.5 Release Notes
This release is to address a security issue: CVE-2020-11008
Fixes since v2.17.4
* With a crafted URL that contains a newline or empty host, or lacks
a scheme, the credential helper machinery can be fooled into
providing credential information that is not appropriate for the
protocol in use and host being contacted.
Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
credentials are not for a host of the attacker's choosing; instead,
they are for some unspecified host (based on how the configured
credential helper handles an absent "host" parameter).
The attack has been made impossible by refusing to work with
under-specified credential patterns.
Credit for finding the vulnerability goes to Carlo Arenas.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, back to index
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-20 18:02 [Announce] Git v2.26.2 and others Junio C Hamano
Git Mailing List Archive on lore.kernel.org
Archives are clonable:
git clone --mirror https://lore.kernel.org/git/0 git/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 git git/ https://lore.kernel.org/git \
Example config snippet for mirrors
Newsgroup available over NNTP:
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git