Publishing details

• Published on 2020-05-09

Changelog

git (1:2.20.1-2+deb10u3) buster-security; urgency=high

  * new upstream point release (see RelNotes/2.20.4.txt).
    * Addresses the security issue CVE-2020-11008.

      With a crafted URL that contains a newline or empty host, or
      lacks a scheme, the credential helper machinery can be fooled
      into providing credential information that is not appropriate
      for the protocol in use and host being contacted.

      Unlike the vulnerability fixed in 1:2.20.1-2+deb10u2, the
      credentials are not for a host of the attacker's choosing.
      Instead, they are for an unspecified host, based on how the
      configured credential helper handles an absent "host"
      parameter.

      The attack has been made impossible by refusing to work with
      underspecified credential patterns.

      Thanks to Carlo Arenas for reporting that Git was still
      vulnerable, Felix Wilhelm for providing the proof of concept
      demonstrating this issue, and Jeff King for promptly providing
      a corrected fix.

      Tested using the proof of concept at
      https://crbug.com/project-zero/2021.

 -- Jonathan Nieder <email address hidden>  Sun, 19 Apr 2020 17:19:12 -0700

Builds

Package files

• git_2.20.1-2+deb10u3.debian.tar.xz (631.1 KiB)
• git_2.20.1-2+deb10u3.dsc (2.9 KiB)
• git_2.20.1.orig.tar.xz (5.1 MiB)