Debian
git package

git 1:2.11.0-3+deb9u7 source package in Debian

Changelog

git (1:2.11.0-3+deb9u7) stretch-security; urgency=high

  * Apply patches from 2.20.4 to address the security issue
    CVE-2020-11008.

    With a crafted URL that contains a newline or empty host, or
    lacks a scheme, the credential helper machinery can be fooled
    into providing credential information that is not appropriate
    for the protocol in use and host being contacted.

    Unlike the vulnerability fixed in 1:2.11.0-3+deb9u6, the
    credentials are not for a host of the attacker's choosing.
    Instead, they are for an unspecified host, based on how the
    configured credential helper handles an absent "host"
    parameter.

    The attack has been made impossible by refusing to work with
    underspecified credential patterns.

    Thanks to Carlo Arenas for reporting that Git was still
    vulnerable, Felix Wilhelm for providing the proof of concept
    demonstrating this issue, and Jeff King for promptly providing
    a corrected fix.

    Tested using the proof of concept at
    https://crbug.com/project-zero/2021.

 -- Jonathan Nieder <email address hidden>  Sun, 19 Apr 2020 19:07:44 -0700

Upload details

Uploaded by:
Gerrit Pape
Uploaded to:
Stretch
Original maintainer:
Gerrit Pape
Architectures:
any all
Section:
vcs
Urgency:
Very Urgent

See full publishing history Publishing

Series Pocket Published Component Section
Stretch release main vcs

Builds

Downloads

File Size SHA-256 Checksum
git_2.11.0-3+deb9u7.dsc 2.9 KiB 7f2be1b1709c216ad06590687cc8fc0ff6b55a6c3e0ad6ec32b2567ce10adec1
git_2.11.0.orig.tar.xz 4.0 MiB 7e7e8d69d494892373b87007674be5820a4bc1ef596a0117d03ea3169119fd0b
git_2.11.0-3+deb9u7.debian.tar.xz 595.9 KiB 3f54b7ea7b8cda477ddb559c63de063c5bd49d8ab772330c05c79ace546ce38d

No changes file available.

Binary packages built by this source