diff options
author | Jonathan Nieder <jrnieder@gmail.com> | 2020-04-19 16:30:34 -0700 |
---|---|---|
committer | Jonathan Nieder <jrnieder@gmail.com> | 2020-04-19 16:30:34 -0700 |
commit | b86a4be245d0ba077c97c6ab6b1cdbeb9dcc1342 (patch) | |
tree | 1dde4745773d761f1a4a677e1dcbf8149a27113b /Documentation/RelNotes/2.17.5.txt | |
parent | Git 2.24.2 (diff) | |
parent | Git 2.23.3 (diff) | |
download | tgif-b86a4be245d0ba077c97c6ab6b1cdbeb9dcc1342.tar.xz |
Git 2.24.3
This merges up the security fix from v2.17.5.
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Diffstat (limited to 'Documentation/RelNotes/2.17.5.txt')
-rw-r--r-- | Documentation/RelNotes/2.17.5.txt | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/Documentation/RelNotes/2.17.5.txt b/Documentation/RelNotes/2.17.5.txt new file mode 100644 index 0000000000..2abb821a73 --- /dev/null +++ b/Documentation/RelNotes/2.17.5.txt @@ -0,0 +1,22 @@ +Git v2.17.5 Release Notes +========================= + +This release is to address a security issue: CVE-2020-11008 + +Fixes since v2.17.4 +------------------- + + * With a crafted URL that contains a newline or empty host, or lacks + a scheme, the credential helper machinery can be fooled into + providing credential information that is not appropriate for the + protocol in use and host being contacted. + + Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the + credentials are not for a host of the attacker's choosing; instead, + they are for some unspecified host (based on how the configured + credential helper handles an absent "host" parameter). + + The attack has been made impossible by refusing to work with + under-specified credential patterns. + +Credit for finding the vulnerability goes to Carlo Arenas. |