diff options
author | Jeff King <peff@peff.net> | 2020-04-19 06:34:55 (GMT) |
---|---|---|
committer | Jonathan Nieder <jrnieder@gmail.com> | 2020-04-19 23:10:58 (GMT) |
commit | df5be6dc3fd18c294ec93a9af0321334e3f92c9c (patch) | |
tree | 2db77b363da50260dc261cea0ec57df7121d6efe /Documentation | |
parent | 1a3609e402a062ef7b11f197fe96c28cabca132c (diff) | |
download | git-df5be6dc3fd18c294ec93a9af0321334e3f92c9c.zip git-df5be6dc3fd18c294ec93a9af0321334e3f92c9c.tar.gz git-df5be6dc3fd18c294ec93a9af0321334e3f92c9c.tar.bz2 |
Git 2.17.5v2.17.5
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Diffstat (limited to 'Documentation')
-rw-r--r-- | Documentation/RelNotes/2.17.5.txt | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/Documentation/RelNotes/2.17.5.txt b/Documentation/RelNotes/2.17.5.txt new file mode 100644 index 0000000..2abb821 --- /dev/null +++ b/Documentation/RelNotes/2.17.5.txt @@ -0,0 +1,22 @@ +Git v2.17.5 Release Notes +========================= + +This release is to address a security issue: CVE-2020-11008 + +Fixes since v2.17.4 +------------------- + + * With a crafted URL that contains a newline or empty host, or lacks + a scheme, the credential helper machinery can be fooled into + providing credential information that is not appropriate for the + protocol in use and host being contacted. + + Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the + credentials are not for a host of the attacker's choosing; instead, + they are for some unspecified host (based on how the configured + credential helper handles an absent "host" parameter). + + The attack has been made impossible by refusing to work with + under-specified credential patterns. + +Credit for finding the vulnerability goes to Carlo Arenas. |