#13434 closed enhancement (fixed)
git-2.26.2
| Reported by: | Douglas R. Reno | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | high | Milestone: | 10.0 |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New point version
Change History (6)
comment:1 by , 4 years ago
| Priority: | normal → high |
|---|
comment:2 by , 4 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:3 by , 4 years ago
The tests seem to be dependent on hard disk speed. Since I have an HDD on this system, and not an SSD (I've filled all of mine up with previous builds all the way back to 8.3), the tests ran much slower on my system.
Note:
See TracTickets
for help on using tickets.
CVE-2020-11008
Today, the Git project released v2.26.2 (and corresponding point releases as far back as the v2.17.x track) to address the following issue: * CVE-2020-11008: With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the credentials are not for a host of the attacker's choosing; instead, they are for some unspecified host (based on how the configured credential helper handles an absent "host" parameter). The attack has been made impossible by refusing to work with under-specified credential patterns.