diff options
author | Jonathan Nieder <jrnieder@gmail.com> | 2020-04-19 16:24:14 -0700 |
---|---|---|
committer | Jonathan Nieder <jrnieder@gmail.com> | 2020-04-19 16:24:14 -0700 |
commit | ba6f0905fdb9e65c1ac5fbc79c9a4ef0b59b3e68 (patch) | |
tree | 568cffa77566b7b50fed2a7db52f89cf26016ef2 /Documentation | |
parent | Git 2.18.3 (diff) | |
parent | Git 2.17.5 (diff) | |
download | tgif-ba6f0905fdb9e65c1ac5fbc79c9a4ef0b59b3e68.tar.xz |
Git 2.18.4
This merges up the security fix from v2.17.5.
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Diffstat (limited to 'Documentation')
-rw-r--r-- | Documentation/RelNotes/2.17.5.txt | 22 | ||||
-rw-r--r-- | Documentation/RelNotes/2.18.4.txt | 5 |
2 files changed, 27 insertions, 0 deletions
diff --git a/Documentation/RelNotes/2.17.5.txt b/Documentation/RelNotes/2.17.5.txt new file mode 100644 index 0000000000..2abb821a73 --- /dev/null +++ b/Documentation/RelNotes/2.17.5.txt @@ -0,0 +1,22 @@ +Git v2.17.5 Release Notes +========================= + +This release is to address a security issue: CVE-2020-11008 + +Fixes since v2.17.4 +------------------- + + * With a crafted URL that contains a newline or empty host, or lacks + a scheme, the credential helper machinery can be fooled into + providing credential information that is not appropriate for the + protocol in use and host being contacted. + + Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the + credentials are not for a host of the attacker's choosing; instead, + they are for some unspecified host (based on how the configured + credential helper handles an absent "host" parameter). + + The attack has been made impossible by refusing to work with + under-specified credential patterns. + +Credit for finding the vulnerability goes to Carlo Arenas. diff --git a/Documentation/RelNotes/2.18.4.txt b/Documentation/RelNotes/2.18.4.txt new file mode 100644 index 0000000000..e8ef858a00 --- /dev/null +++ b/Documentation/RelNotes/2.18.4.txt @@ -0,0 +1,5 @@ +Git v2.18.4 Release Notes +========================= + +This release merges the security fix that appears in v2.17.5; see +the release notes for that version for details. |