Debian
git package

git 1:2.26.2-1 source package in Debian

Changelog

git (1:2.26.2-1) unstable; urgency=high

  * new upstream point release (see RelNotes/2.26.2.txt).
    * Addresses the security issue CVE-2020-11008.

      With a crafted URL that contains a newline or empty host, or
      lacks a scheme, the credential helper machinery can be fooled
      into providing credential information that is not appropriate
      for the protocol in use and host being contacted.

      Unlike the vulnerability fixed in 2.26.1, the credentials are
      not for a host of the attacker's choosing.  Instead, they are
      for an unspecified host, based on how the configured
      credential helper handles an absent "host" parameter.

      The attack has been made impossible by refusing to work with
      underspecified credential patterns.

      Thanks to Carlo Arenas for reporting that Git was still
      vulnerable, Felix Wilhelm for providing the proof of concept
      demonstrating this issue, and Jeff King for promptly providing
      a corrected fix.

      Tested using the proof of concept at
      https://crbug.com/project-zero/2021.

 -- Jonathan Nieder <email address hidden>  Mon, 20 Apr 2020 10:44:09 -0700

Upload details

Uploaded by:
Jonathan Nieder
Uploaded to:
Sid
Original maintainer:
Jonathan Nieder
Architectures:
any all
Section:
vcs
Urgency:
Very Urgent

See full publishing history Publishing

Series Pocket Published Component Section

Builds

Downloads

File Size SHA-256 Checksum
git_2.26.2-1.dsc 2.8 KiB 2ac1155aad5cf16ca6a1c11d33ac2efb8a2b9d2a7eac6c8597c0a842ca15d0e2
git_2.26.2.orig.tar.xz 5.7 MiB 6d65132471df9e531807cb2746f8be317e22a343b9385bbe11c9ce7f0d2fc848
git_2.26.2-1.debian.tar.xz 631.7 KiB 0a5d96cb3199411220b6ae2cf4ac39f100b606d7a89a4b7328a25ef1c76f1326

No changes file available.

Binary packages built by this source