#13417 closed defect (fixed)
git-2.26.1
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | high | Milestone: | 10.0 |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description
Today, the Git project is releasing the following Git versions:
v2.26.1, v2.25.3, v2.24.2, v2.23.2, v2.22.3, v2.21.2, v2.20.3, v2.19.4, v2.18.3, and v2.17.4
These releases address the security issue CVE-2020-5260, which allowed a crafted URL to trick a Git client to send credential information for a wrong host to the attacker's site. Credit for finding the vulnerability goes to Felix Wilhelm of Google Project Zero, and credit for fixing it goes to Jeff King of GitHub.
Users of the affected maintenance tracks are urged to upgrade.
- With a crafted URL that contains a newline in it, the credential helper machinery can be fooled to give credential information for a wrong host. The attack has been made impossible by forbidding a newline character in any value passed via the credential protocol.
Credit for finding the vulnerability goes to Felix Wilhelm of Google Project Zero.
Change History (5)
comment:1 by , 4 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 4 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
comment:3 by , 4 years ago
I added errata for this at r1546 in the www repo. It's marked 9.3/10 CRITICAL by the NVD
Note:
See TracTickets
for help on using tickets.
r22997