* [Announce] Git v2.26.1 and others
@ 2020-04-14 18:03 Junio C Hamano
0 siblings, 0 replies; only message in thread
From: Junio C Hamano @ 2020-04-14 18:03 UTC (permalink / raw)
To: git; +Cc: Linux Kernel, git-packagers
Today, the Git project is releasing the following Git versions:
v2.26.1, v2.25.3, v2.24.2, v2.23.2, v2.22.3, v2.21.2, v2.20.3,
v2.19.4, v2.18.3, and v2.17.4
These releases address the security issue CVE-2020-5260, which
allowed a crafted URL to trick a Git client to send credential
information for a wrong host to the attacker's site. Credit for
finding the vulnerability goes to Felix Wilhelm of Google Project
Zero, and credit for fixing it goes to Jeff King of GitHub.
Users of the affected maintenance tracks are urged to upgrade.
The tarballs are found at:
The following public repositories all have a copy of the 'v2.26.1'
and other tags:
url = https://kernel.googlesource.com/pub/scm/git/git
url = git://repo.or.cz/alt-git.git
url = https://github.com/gitster/git
Attached below is the release notes for 2.17.4; all the newer
maintenance tracks listed at the beginning of this message are
updated with the same fix, so I won't repeat them here.
Git v2.17.4 Release Notes
This release is to address the security issue: CVE-2020-5260
Fixes since v2.17.3
* With a crafted URL that contains a newline in it, the credential
helper machinery can be fooled to give credential information for
a wrong host. The attack has been made impossible by forbidding
a newline character in any value passed via the credential
Credit for finding the vulnerability goes to Felix Wilhelm of Google
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2020-04-14 18:03 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-14 18:03 [Announce] Git v2.26.1 and others Junio C Hamano
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).