Opened 3 years ago
Closed 3 years ago
Last modified 3 years ago
New point version
Today, the Git project released v2.26.2 (and corresponding point
releases as far back as the v2.17.x track) to address the following
With a crafted URL that contains a newline or empty host, or lacks a
scheme, the credential helper machinery can be fooled into providing
credential information that is not appropriate for the protocol in
use and host being contacted.
Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
credentials are not for a host of the attacker's choosing; instead,
they are for some unspecified host (based on how the configured
credential helper handles an absent "host" parameter).
The attack has been made impossible by refusing to work with
under-specified credential patterns.
The tests seem to be dependent on hard disk speed. Since I have an HDD on this system, and not an SSD (I've filled all of mine up with previous builds all the way back to 8.3), the tests ran much slower on my system.
Fixed at r23017
Powered by Trac 1.5.3.dev0
By Edgewall Software
© 1998-2022 Gerard Beekmans.