Opened 2 months ago
Closed 2 months ago
#20928 closed enhancement (fixed)
git-2.48.1
| Reported by: | Douglas R. Reno | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | elevated | Milestone: | 12.3 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description ¶
New point version
Team,
The Git project released new security bug-fix versions today, January
14th, 2025: v2.48.1, v2.47.1, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4,
v2.41.3, and v2.40.4.
The addressed issues are:
- CVE-2024-50349:
Printing unsanitized URLs when asking for credentials makes the user
susceptible to crafted URLs (e.g. in recursive clones). These URLs
can mislead the user into typing in passwords for trusted sites that
would then be sent to untrusted sites instead.
A potential scenario of how this can be exploited is a recursive
clone where one of the submodules prompts for a password, pretending
to ask for a different host than the password will be sent to.
- CVE-2024-52006:
Git may pass on Carriage Returns via the credential protocol to
credential helpers which use line-reading functions that interpret
Carriage Returns as line endings, even though this is not what was
intended (but Git’s documentation did not clarify that "newline"
meant "Line Feed character").
This affected the popular .NET-based Git Credential Manager, which
has been updated accordingly in coordination with the Git project.
Ciao,
Johannes
Note that the description at NVD for CVE-2024-52006 also mentions node.js
Change History (2)
comment:1 by , 2 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 2 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Note:
See TracTickets
for help on using tickets.
Fixed at cea2f8547123ef8cf534b254fe0439fc6ef49a83
SA-12.2-066 issued