Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#13434 closed enhancement (fixed)


Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: high Milestone: 10.0
Component: BOOK Version: SVN
Severity: normal Keywords:


New point version

Change History (6)

comment:1 by Douglas R. Reno, 3 years ago

Priority: normalhigh


Today, the Git project released v2.26.2 (and corresponding point
releases as far back as the v2.17.x track) to address the following

  * CVE-2020-11008:
    With a crafted URL that contains a newline or empty host, or lacks a
    scheme, the credential helper machinery can be fooled into providing
    credential information that is not appropriate for the protocol in
    use and host being contacted.

    Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
    credentials are not for a host of the attacker's choosing; instead,
    they are for some unspecified host (based on how the configured
    credential helper handles an absent "host" parameter).

    The attack has been made impossible by refusing to work with
    under-specified credential patterns.

comment:2 by Douglas R. Reno, 3 years ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:3 by Douglas R. Reno, 3 years ago

The tests seem to be dependent on hard disk speed. Since I have an HDD on this system, and not an SSD (I've filled all of mine up with previous builds all the way back to 8.3), the tests ran much slower on my system.

comment:4 by Douglas R. Reno, 3 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r23017

comment:5 by Bruce Dubbs, 3 years ago

Milestone: 9.210,0

Milestone renamed

comment:6 by Bruce Dubbs, 3 years ago

Milestone: 10,010.0

Milestone renamed

Note: See TracTickets for help on using tickets.