From c42c0f12972194564f039dcf580d89ca14ae72d6 Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Tue, 17 Mar 2020 13:23:48 -0700 Subject: Git 2.17.4 Signed-off-by: Junio C Hamano --- Documentation/RelNotes/2.17.4.txt | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 Documentation/RelNotes/2.17.4.txt (limited to 'Documentation') diff --git a/Documentation/RelNotes/2.17.4.txt b/Documentation/RelNotes/2.17.4.txt new file mode 100644 index 0000000000..7d794ca01a --- /dev/null +++ b/Documentation/RelNotes/2.17.4.txt @@ -0,0 +1,16 @@ +Git v2.17.4 Release Notes +========================= + +This release is to address the security issue: CVE-2020-5260 + +Fixes since v2.17.3 +------------------- + + * With a crafted URL that contains a newline in it, the credential + helper machinery can be fooled to give credential information for + a wrong host. The attack has been made impossible by forbidding + a newline character in any value passed via the credential + protocol. + +Credit for finding the vulnerability goes to Felix Wilhelm of Google +Project Zero. -- cgit v1.2.3