From df5be6dc3fd18c294ec93a9af0321334e3f92c9c Mon Sep 17 00:00:00 2001 From: Jeff King Date: Sun, 19 Apr 2020 02:34:55 -0400 Subject: Git 2.17.5 Signed-off-by: Jeff King Signed-off-by: Jonathan Nieder --- Documentation/RelNotes/2.17.5.txt | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 Documentation/RelNotes/2.17.5.txt (limited to 'Documentation/RelNotes/2.17.5.txt') diff --git a/Documentation/RelNotes/2.17.5.txt b/Documentation/RelNotes/2.17.5.txt new file mode 100644 index 0000000000..2abb821a73 --- /dev/null +++ b/Documentation/RelNotes/2.17.5.txt @@ -0,0 +1,22 @@ +Git v2.17.5 Release Notes +========================= + +This release is to address a security issue: CVE-2020-11008 + +Fixes since v2.17.4 +------------------- + + * With a crafted URL that contains a newline or empty host, or lacks + a scheme, the credential helper machinery can be fooled into + providing credential information that is not appropriate for the + protocol in use and host being contacted. + + Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the + credentials are not for a host of the attacker's choosing; instead, + they are for some unspecified host (based on how the configured + credential helper handles an absent "host" parameter). + + The attack has been made impossible by refusing to work with + under-specified credential patterns. + +Credit for finding the vulnerability goes to Carlo Arenas. -- cgit v1.2.3