You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
23 lines
828 B
23 lines
828 B
5 years ago
|
Git v2.17.5 Release Notes
|
||
|
=========================
|
||
|
|
||
|
This release is to address a security issue: CVE-2020-11008
|
||
|
|
||
|
Fixes since v2.17.4
|
||
|
-------------------
|
||
|
|
||
|
* With a crafted URL that contains a newline or empty host, or lacks
|
||
|
a scheme, the credential helper machinery can be fooled into
|
||
|
providing credential information that is not appropriate for the
|
||
|
protocol in use and host being contacted.
|
||
|
|
||
|
Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
|
||
|
credentials are not for a host of the attacker's choosing; instead,
|
||
|
they are for some unspecified host (based on how the configured
|
||
|
credential helper handles an absent "host" parameter).
|
||
|
|
||
|
The attack has been made impossible by refusing to work with
|
||
|
under-specified credential patterns.
|
||
|
|
||
|
Credit for finding the vulnerability goes to Carlo Arenas.
|