-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 12 Apr 2020 17:49:00 -0700 Source: git Binary: git git-man git-core git-doc git-arch git-cvs git-svn git-mediawiki git-email git-daemon-run git-daemon-sysvinit git-gui gitk git-el gitweb git-all Architecture: source all amd64 Version: 1:2.11.0-3+deb9u6 Distribution: stretch-security Urgency: high Maintainer: Gerrit Pape <pape@smarden.org> Changed-By: Jonathan Nieder <jrnieder@gmail.com> Description: git - fast, scalable, distributed revision control system git-all - fast, scalable, distributed revision control system (all subpacka git-arch - fast, scalable, distributed revision control system (arch interop git-core - fast, scalable, distributed revision control system (obsolete) git-cvs - fast, scalable, distributed revision control system (cvs interope git-daemon-run - fast, scalable, distributed revision control system (git-daemon s git-daemon-sysvinit - fast, scalable, distributed revision control system (git-daemon s git-doc - fast, scalable, distributed revision control system (documentatio git-el - fast, scalable, distributed revision control system (emacs suppor git-email - fast, scalable, distributed revision control system (email add-on git-gui - fast, scalable, distributed revision control system (GUI) git-man - fast, scalable, distributed revision control system (manual pages git-mediawiki - fast, scalable, distributed revision control system (MediaWiki re git-svn - fast, scalable, distributed revision control system (svn interope gitk - fast, scalable, distributed revision control system (revision tre gitweb - fast, scalable, distributed revision control system (web interfac Changes: git (1:2.11.0-3+deb9u6) stretch-security; urgency=high . [ Salvatore Bonaccorso ] * Apply patches from 2.20.3 to address the security issue CVE-2020-5260. . With a crafted URL that contains a newline, the credential helper machinery can be fooled to supply credential information for the wrong host. The attack has been made impossible by forbidding a newline character in any value passed via the credential protocol. . Thanks to Felix Wilhelm of Google Project Zero for finding this vulnerability and Jeff King for fixing it. . [ Jonathan Nieder ] * Apply security-relevant changes from 2.11.1: * doc: mention transfer data leaks in more places (thx to Matt McCutchen). * remote-curl: don't hang when a server dies before any output (thx to David Turner). * merge: avoid crlf handling related NULL dereference (thx to Markus Klein and Johannes Schindelin). * http: avoid private repository theft by mixing repositories (thx to Jann Horn of Google Project Zero). * avoid under-allocation in shallow clone code (thx to Rasmus Villemoes). * git-svn: allow "0" in SVN path components (thx to Eric Wong). * config: handle errors from fstat (thx to Josh Bleecher Snyder and Nguyễn Thái Ngọc Duy). * git_exec_path: do not return the result of getenv (thx to Jeff King). * Apply security-relevant changes from 2.12.1, 2.12.2, 2.12.3: * show-branch: avoid buffer overflow on long current branch name (thx to Jeff King). * ident: handle NULL email when complaining of empty name (thx to Jeff King). * log -L: use COPY_ARRAY to fix mis-sized memcpy on ILP32 systems (thx to Vegard Nossum). * dumb http: fix buffer underflow processing remote alternates (thx to Jeff King). * log -S: avoid out-of-bounds read with -S --pickaxe-regex (thx to SZEDER Gábor). * Apply security- and portability-relevant changes from 2.13.1, 2.13.3, 2.13.4: * checkout, am: avoid NULL pointer dereference when HEAD is invalid (thx to René Scharfe). * pack-bitmap: don't perform unaligned memory access (thx to James Clarke). * apply: avoid out of bounds reads when processing malformed patches (thx to Vegard Nossum and René Scharfe). * log -g: avoid use-after-free when reading empty reflog in date order (thx to Jeff King). * Apply security-relevant changes from 2.14.3: * avoid reading uninitialized memory when HEAD is too short (thx to Jeff King). * fsck: avoid NULL pointer dereference when encountering objects of unexpected type (thx to SZEDER Gábor and René Scharfe). Checksums-Sha1: e90b1336e6c4bc87ca08e5a454704fe724b8c669 2944 git_2.11.0-3+deb9u6.dsc be8311d2fee268d5aba86dc0935262bfdb246939 601716 git_2.11.0-3+deb9u6.debian.tar.xz 44ee0d3464bffbdad49a8222d88da9eafd148e15 673506 git-all_2.11.0-3+deb9u6_all.deb 9b1e0537ad322cb211ef57fa2aaa26d004ddbde1 686148 git-arch_2.11.0-3+deb9u6_all.deb 35dbf62771e50d9985c6733f4c5bba036099887c 1416 git-core_2.11.0-3+deb9u6_all.deb 1171605c5ffc1d0f826572d2ffbc64e5c4ce4a71 736502 git-cvs_2.11.0-3+deb9u6_all.deb bb64895d74563e0502c0f305cdda8df5b2c72458 675068 git-daemon-run_2.11.0-3+deb9u6_all.deb 5cd2912b91b432286dfc592d99d36a7854fc0bab 675450 git-daemon-sysvinit_2.11.0-3+deb9u6_all.deb 465fe8e3ff887a9bebf1fd3203e032a7aa208e81 30274368 git-dbgsym_2.11.0-3+deb9u6_amd64.deb de1d243a6deb75d356bdaabae88296322f6fcff6 1536656 git-doc_2.11.0-3+deb9u6_all.deb 5a6704cdf4da8ea1ddc9e964726862f7e3c22da9 692994 git-el_2.11.0-3+deb9u6_all.deb 6e94a17270adddfc86d1a20040ed1807c8e94e3e 695288 git-email_2.11.0-3+deb9u6_all.deb dba65a6d9a961b71c9b265fb752c260df48cc7f7 882862 git-gui_2.11.0-3+deb9u6_all.deb b15007da59c762c85f274b4113e85230284da4b9 1436482 git-man_2.11.0-3+deb9u6_all.deb 085df2a8076917e40633fde6ccb70adccf1ece57 688398 git-mediawiki_2.11.0-3+deb9u6_all.deb d5349f765b637edd9be374b14a29610521057424 758244 git-svn_2.11.0-3+deb9u6_all.deb 4715b003c2dba360c0e45501313eea20887d0409 13070 git_2.11.0-3+deb9u6_amd64.buildinfo 4bb6b7ce77cb94d9a8ef28725ae6246b1fe3973e 4163854 git_2.11.0-3+deb9u6_amd64.deb af2edf5094dc75d1acfa82806ebb15ebd4678a92 799544 gitk_2.11.0-3+deb9u6_all.deb d94c34b232a31267f32213ceba7e6322df916e68 676986 gitweb_2.11.0-3+deb9u6_all.deb Checksums-Sha256: f51ffaa3f77f93f311f19d7b35d6832695fc2c79eadffeaaff3af723f76f5aaa 2944 git_2.11.0-3+deb9u6.dsc 72788b660a860138106aa106ed35a99177ca1503f007661f53750ebf6faecf24 601716 git_2.11.0-3+deb9u6.debian.tar.xz e2ff30f3b719cc94ee1c3ae2623ae7d28fa9653969b2251786648a3ff1a1f608 673506 git-all_2.11.0-3+deb9u6_all.deb 35a89c33a1da5b49abb0a108d5f1cf71855c499a81a79ae4ca5281b8f354a56a 686148 git-arch_2.11.0-3+deb9u6_all.deb 981563acc850d1535d946bf1ae07e865f3bbb37a9eb6447aa013be5fc0c5117f 1416 git-core_2.11.0-3+deb9u6_all.deb 50240d4ab8f381180440810cc38eeca08f236010c557a42bade278de55bbc84e 736502 git-cvs_2.11.0-3+deb9u6_all.deb 551d773f967b51905718f54e8f137e617878213e761e54214e47a8440ddf0208 675068 git-daemon-run_2.11.0-3+deb9u6_all.deb fdb7e6392c5debe23bbd3473758f8e026cb6803e463c3ac19765be3c1d2e3f96 675450 git-daemon-sysvinit_2.11.0-3+deb9u6_all.deb cf92fd1925337ed56bef3f195bd600349e44ec1f51d9d36492cfea84697dcf95 30274368 git-dbgsym_2.11.0-3+deb9u6_amd64.deb eec4c424dde3cc851228fcf939b51494bc31f850519cdfa441f22e94b3d791d7 1536656 git-doc_2.11.0-3+deb9u6_all.deb e56f8f961cd5d5a9213f2579bd3c059701ef7eb8a4cc50d1a7e0d31eb04d31c6 692994 git-el_2.11.0-3+deb9u6_all.deb d78f45b9725cd427c22e5fd694d8790dc68caf9a2d80879b4d6dc9d004f0d883 695288 git-email_2.11.0-3+deb9u6_all.deb f5c6474a0cbacf769a4c2e9c8b06134a08808a05c9871a1f7e6109cc9bfb8fbd 882862 git-gui_2.11.0-3+deb9u6_all.deb a35dde4c0ba4725f2595b0e4f183308e909faca5262fa05492285b5a7ba72f55 1436482 git-man_2.11.0-3+deb9u6_all.deb 96a0ae738ffd1a1b9047c8308ee9c69fdb8cb9c03b0fcc164437b5bf63ba3514 688398 git-mediawiki_2.11.0-3+deb9u6_all.deb a6b646de1abd6a09ba8fe85131295df629318af8c153e9b206b6e3d74ffc2c25 758244 git-svn_2.11.0-3+deb9u6_all.deb 1815643899b7934ddc67137a3e8ff7341401cce50c6ecd8c89726aaef8092a5c 13070 git_2.11.0-3+deb9u6_amd64.buildinfo 14225d607847fcbddf15b047aef2aece5b25045a9cd4b4aca46f4db4d97ed569 4163854 git_2.11.0-3+deb9u6_amd64.deb 26abe438ba065556c6404a3c5469d1a22fc7948d2b144e9716b302cf1106bc29 799544 gitk_2.11.0-3+deb9u6_all.deb 45b5fade4c9cc382987c8cc2629408166b0dc1780556a1085af0249a20bc9d6e 676986 gitweb_2.11.0-3+deb9u6_all.deb Files: 8fa2e08f6960c9f64b5f83f2f26f400c 2944 vcs optional git_2.11.0-3+deb9u6.dsc cc4640d130468b94f56dc17717997f66 601716 vcs optional git_2.11.0-3+deb9u6.debian.tar.xz 1ffd23adba4f51158bb09d8fb1bf4e3f 673506 vcs optional git-all_2.11.0-3+deb9u6_all.deb b43c9254791b40864678dec899c7969a 686148 vcs optional git-arch_2.11.0-3+deb9u6_all.deb 201e512e4564129afde5b1fa14e6beb0 1416 vcs optional git-core_2.11.0-3+deb9u6_all.deb 440a2bc131829b82f0daf5cdad9fa1ab 736502 vcs optional git-cvs_2.11.0-3+deb9u6_all.deb c054ee30ed279d4d02d2734e8e1d92ad 675068 vcs optional git-daemon-run_2.11.0-3+deb9u6_all.deb 76625cb8422e35bbde5a922b8177838e 675450 vcs extra git-daemon-sysvinit_2.11.0-3+deb9u6_all.deb d93062c08ae4e9770cf60bd93ad9b044 30274368 debug extra git-dbgsym_2.11.0-3+deb9u6_amd64.deb 0b02cad2aa93f61b66fad56e6a9b61d4 1536656 doc optional git-doc_2.11.0-3+deb9u6_all.deb e5a6ae6f54b4623ba5eb24808a8f2e40 692994 vcs optional git-el_2.11.0-3+deb9u6_all.deb 70c79b518c04645083f76fb1975f9659 695288 vcs optional git-email_2.11.0-3+deb9u6_all.deb fe4f423f2c0a3ebe87ed02de2ab9dbdb 882862 vcs optional git-gui_2.11.0-3+deb9u6_all.deb ced12c2611c6cf859c73dd1a7fa9a442 1436482 doc optional git-man_2.11.0-3+deb9u6_all.deb 1d424a1cdb9fead7f7ff00011b9034fc 688398 vcs optional git-mediawiki_2.11.0-3+deb9u6_all.deb 89d14aa6af8d2a39b3b31c40d33820f2 758244 vcs optional git-svn_2.11.0-3+deb9u6_all.deb 10e79abfe3bd25d29d6763bb4070da1b 13070 vcs optional git_2.11.0-3+deb9u6_amd64.buildinfo 88b1636cdb651be242eea2fc32dbabea 4163854 vcs optional git_2.11.0-3+deb9u6_amd64.deb cf61e522d4ba7465857fc56b8ff6302e 799544 vcs optional gitk_2.11.0-3+deb9u6_all.deb dc1797058861683690a20696ae024226 676986 vcs optional gitweb_2.11.0-3+deb9u6_all.deb -----BEGIN PGP SIGNATURE----- iQJHBAEBCAAxFiEEUh5Y8X6W1xKqD/EC38Zx7rMz+iUFAl6Ug3kTHGpybmllZGVy QGdtYWlsLmNvbQAKCRDfxnHuszP6Jbk8D/9aN1T4pqPCG2SWcsXranpYcUQJO/FY xfJ6o+n+BbGMFGhl+gv2AyxsCo1MfSZ31fXxnKLdvM6/0TxEKmgNYrLQKierYJYx sEC46klqRLW2Sn9/mKzcKk4X406tRTDCsGDa4Pp9oCor4lVxJ7jbMrwwZ5o6MjhF vCrsbL0WdKFUxQNrl2J5ISS03IJGSWls0Az1uDxeZb0VUe6AxIGZqOMdtbTKTUoq R6Z97Q2ffN031aavD3jDqJ8ytX3Xvh2ErCD9E/cxeL0/Nr5+pFKonwVMn6Mq8QMG 6RMSqQOwiv8GvgmNabwJZt9+iGPIYjf1j/PuEhFNlIIPueTrW1ieiD8lPThoRKq8 SWU7L+FuR4gS5OFv+ZD03/J0oEhI5vdp+HGDPTyfYal/zoJp437INq/e5nOs+6QO JHnGc8heCQyEMzA7sJN++kfB0d6gf3ntQqxPwWgns6/5XYbrLLhgOAOj6AkwcwkU in/8bZ4pAxdi0swCgIKJSE3K7+PSivZlTDSTQgyMoIPRP5NrHdM/Xn+yfs8B31cC 02CDQKp3t0kmc8A6QD4FJ0xc7mPFexAReUnwlKsj8O+WQfR5+oKpsbOKVKC6T3cw eLMfrie9GL6t4ZRCPPqfR0yZ4BvuvM1MbdnK9LMABDnWBhs+jmIac6MZH99rwM/+ yhKkg7i/G5YS5A== =5FwO -----END PGP SIGNATURE-----